Facebook was ordered by a Dutch court to remove false advertisements that link Big Brother creator John de Mol to Bitcoin-related investments or pay up to US$1.2 million in fines.
How did things get there? Last June, de Mol sued Facebook over its failure to stop showing fraudulent ads that featured him and other celebrities. The fake ads tried to entice Facebook users to invest in Bitcoin with a company that the mogul supposedly supported. The said ad, which is no longer shown, siphoned off about US$1.9 million worth of investment from Facebook users.
The media mogul also asked Facebook to give him details about the scammers so he can implement the necessary security measures to prevent the same thing from happening again.
Scammers often use famous individuals or celebrities to gain the trust of their potential victims. In this particular case, de Mol and other local celebrities' influence was abused to entice users to take part in the scam. Scammers also put their ads on Facebook because of its vast reachable audience for advertising purposes.
Facebook users, for their part, trusted the ads because they believed Facebook filtered malvertisements. But as it turned out, the fraudulent ads managed to bypass the social media platform's built-in filtering measures.
As the above case illustrates, even large sites and platforms allowing online advertising are at risk of unknowingly taking part in scams. Spotting malvertisements is, however, doable via URL filtering aided by domain monitoring tools like WHOIS API. With strict advertising screening processes and filtering tools in place, site owners can help protect their visitors against fraud.
Our Investigative Tools: WHOIS API and Others
As a social media giant, we are pretty sure Facebook has a screening process for advertisers. If not done already, it can improve security by integrating WHOIS data into its screening system. In fact, WHOIS API can provide extensive information on the owner of a domain traced to ads.
In this particular case, we ran a search on a domain that could be tied to a Bitcoin ad-biturcoin[.]com (note that this is a randomly chosen malicious domain not connected to the case presented above). The results show when the domain was created, among other points:
As it turns out, the domain is new, only 113 days old (at the time of writing). Generally, fraudsters are known for registering several new domains every time they launch a campaign.
It was also anonymously registered. While this is not a sure sign of ties to malicious activity, cybercriminals often abuse private registration as a means to evade identification in case the domains are subject to an in-depth investigation.
The data from WHOIS API also revealed the domain's registrar. In the case of biturcoin[.]com, that is Super Privacy Service Ltd. c/o Dynadot, LLC. While registrars may not necessarily have connections to the attackers, this particular one has links to several domain disputes.
Given the information we obtained, a site owner should probably disallow an ad redirecting to this domain, or, at the very least, run a thorough background check. Considering the reputation of the registrar, it may be a good idea to monitor the domains it administers and sells to interested parties.
---
Malvertisements are conventional means by which victims get tricked, but these aren't unavoidable, though, as our demonstration shows. Site owners that want to prevent their visitors from becoming fraud victims can use WHOIS API to spot potentially harmful ads. Besides its API form, the WHOIS service is also available as a command-line tool or as part of our Domain Research Suite dashboard that enables online investigations.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)-a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.
