It is frustrating to know that there's a lot of folk out there who will never heed this advice with the mindset of "it'll never happen to me", and then guess to who it happens? On top of that I...
It is frustrating to know that there's a lot of folk out there who will never heed this advice with the mindset of "it'll never happen to me", and then guess to who it happens?
On top of that I know quite a few people who will never ever properly read what is displayed on the screen in front of them and this is why scams like this can be effective... Ugh.
Why are you even allowed to buy an ad for a domain without control of that domain? Google already confirms domain ownership for things like Adsense and analytics. Why not just expand that feature...
Why are you even allowed to buy an ad for a domain without control of that domain? Google already confirms domain ownership for things like Adsense and analytics. Why not just expand that feature to the actual advertisers? Is there any legitimate reason to be able to advertise a domain you don’t own?
That makes sense, but I’d still expect a “Request permission” flow from the advertising agency side that then pings the authorised Adsense / Analytics / Workspace domain owner to hit OK before...
That makes sense, but I’d still expect a “Request permission” flow from the advertising agency side that then pings the authorised Adsense / Analytics / Workspace domain owner to hit OK before allowing the campaign. Or a proper OAuth flow if there’s incentive to be more cross-platform about it, actually.
Either way, some kind of delegation rather than just taking it on trust would definitely be standard practice here. Although I’m guessing there’s a fairly strong incentive to minimise friction in flows that explicitly make money, so even if there was never a smoking gun “don’t verify” decision made, there were probably guidelines and metrics about absolutely not adding additional clicks to the process…
It's entirely conceivable that it has this, but at the scale of an org like HP, it's literally just noise. Some unlucky middle manager in marketing has the job of clicking "yes" on the fifty new...
It's entirely conceivable that it has this, but at the scale of an org like HP, it's literally just noise. Some unlucky middle manager in marketing has the job of clicking "yes" on the fifty new campaigns the subcontractors are starting today, and they absolutely are not going to do enough validation to see that today's batch is 49 real ads and a scam.
Money. They pay money, Google sees money, Google accepts. The same goes for Facebook (Meta) and probably many others. They want money and they don't care if it's scam or if the message on the...
Money. They pay money, Google sees money, Google accepts. The same goes for Facebook (Meta) and probably many others. They want money and they don't care if it's scam or if the message on the banner is true or not. I see it every single day and there is no sign of getting better.
This isn't really true. Metoogle very much want their ads to be trustworthy and of good quality because that makes more people click on them and clicks are worth way (WAY) more than views. Yes, it...
This isn't really true. Metoogle very much want their ads to be trustworthy and of good quality because that makes more people click on them and clicks are worth way (WAY) more than views. Yes, it is ultimately all about money for them but getting a reputation for serving scammy shit is bad for the bottom line. The game of whack a mole with the bot powered armies of scammers is so fast moving that it makes it extraordinarily hard to effectively police though.
From my limited point of view all it takes is a person, real person, to review the ads before accepting them. I see scams on Facebook all the time, many times with the same headline - the same...
From my limited point of view all it takes is a person, real person, to review the ads before accepting them. I see scams on Facebook all the time, many times with the same headline - the same freakin' headline! Or they simply take fake identity... Any real person (who knows just a tiny bit about internet security - the person like me or other people here on Tildes) would identify this even if they were half-blind! But automated system is cheaper to run and it works to their liking - it accepts more ads that a real person would do, part of it is it accepts scam as well as normal ads.
The credibility you are talking about is surely important for them, but let's face it - Google and Meta (and possibly others) have absolute domination, they get all the clicks anyway, they don't care about being 100% trustworthy anymore, they don't need to, they already have their worldwide army of 100% hooked users. Money, it all starts and ends there for them.
Actually Incorrect. Quality of ad doesn't matter, dark patterns and scammy tactics work better at getting users to click ads. "Hot Milfs in your area" gets clicks, despite being fake. Quality...
trustworthy and of good quality because that makes more people click on them and clicks are worth way (WAY) more than views.
Actually Incorrect. Quality of ad doesn't matter, dark patterns and scammy tactics work better at getting users to click ads. "Hot Milfs in your area" gets clicks, despite being fake.
Quality takes time and effort, something capitalists despise doing.
Yet more evidence that blocking ads is not just for convenience, but also important for security. If Google wants to continue their push to kill ad blockers they at least need to be protecting...
Yet more evidence that blocking ads is not just for convenience, but also important for security. If Google wants to continue their push to kill ad blockers they at least need to be protecting users from the malicious ads. Really they should be doing it either way, but it's even more important as they try to take away the tools to protect yourself. I don't really see them giving a shit unless they start being legally liable for promoting scams though.
I will give the scammers that this is a rather creative idea for a scam though. I never would've thought to leverage failed search results as a way to inject text. I originally thought this would be another URL burying scheme (like where you hide the real URL deep in a complex URL). Sadly it not being means it wouldn't be relevant for me to go into my "domain names are backward!" rant.
Oh, this is an old complaint. URLs in general are least-to-most specific: https¹://example.com²/path³/file.html⁴?query=param⁵#fragment⁶ Scheme, i.e. "this is a website" Host, i.e. "this is the...
Exemplary
Oh, this is an old complaint. URLs in general are least-to-most specific:
Path, i.e. "this is the directory within the site the page I'm looking at is contained in"
The page name itself.
Query parameters which modify the specific page.
A fragment (or sometimes "anchor") referring to a specific spot within the page.
However, domain names are most-to-least specific:
sub.domain³.example².com¹
.com is the top-level domain (TLD), and it's the most general part, as can be seen by the fact that it's present in the vast majority of domain names.
example in this example refers to the specific site, and is the most general level that a registrant can register. (Modulo handwaving about "brand" TLDs like .google, which are mostly a bad idea, and multi-part TLDs like .co.uk, which are also mostly a bad idea, but for very different reasons.) This is called the "second-level domain", which is not at all confusing for domains under e.g. .co.uk.
sub and domain are subdomains, which are under the complete control of the registrant. In principle you can do whatever you want with subdomains under a domain you control, but in practice, they pretty much always continue the most-to-least specific pattern of subdomain/2LD/TLD.
This major component being in reverse order of the greater structure in which it is embedded is definitely inconsistent, and… plausibly?… confusing, but at this point it's been that way for literally more than thirty years and isn't going anywhere.
Interestingly, you can see the other order in e.g. some programming languages; the fully-qualified class name of Apache Commons's OrderedMap is org.apache.commons.collections4.OrderedMap, which is least-to-most specific and starts with the TLD org. (Note that the FQCN prefix isn't actually a domain name, so it's not literally the TLD org, but putting your packages under your organization's primary domain name in reverse component order is a nigh-universal convention.)
Exactly this, although my rant would include that it being confusing is the source of security problems. Humans don't do great at immediately finding the real right spot even if they know it....
Exactly this, although my rant would include that it being confusing is the source of security problems. Humans don't do great at immediately finding the real right spot even if they know it. "Last period before the first character that is either a forward slash or question mark" isn't intuitive in the first place.
I occasionally get spam messages from PayPal due to this sort of field injection. Someone requests money from your email address, puts a fake business name and an invoice amount, so PayPal happily...
I occasionally get spam messages from PayPal due to this sort of field injection. Someone requests money from your email address, puts a fake business name and an invoice amount, so PayPal happily sends you an email saying "Creative Business Innovations LLC is requesting $1207.32." Which most people will be suspicious of, because they probably didn't drop a thousand dollars at an unfamiliar company.
What the scammer does next is populate the message field with something like this:
Don't recognize this order? Contact PayPal Support immediately at (555) 555-5555. If you do not reach out, we will proceed with the transaction.
The phone number, of course, is the scammer.
The giveaway of how it works is there's bold text saying "Note from {business name}:" before that message. But people gloss over it, and connect the common pattern of text about calling a number to resolve something to the authenticity of the sender.
Quoting the last sentence of the article:
Ah, truer words have never been spoken.
It is frustrating to know that there's a lot of folk out there who will never heed this advice with the mindset of "it'll never happen to me", and then guess to who it happens?
On top of that I know quite a few people who will never ever properly read what is displayed on the screen in front of them and this is why scams like this can be effective... Ugh.
I'm protected by Just World Fallacy™ antivirus
Perhaps, but let me try anyway:
Why are you even allowed to buy an ad for a domain without control of that domain? Google already confirms domain ownership for things like Adsense and analytics. Why not just expand that feature to the actual advertisers? Is there any legitimate reason to be able to advertise a domain you don’t own?
I'm surprised as well. I suppose the company being advertised for is often a third party in a sense, paying someone else to set up their ad campaigns.
That makes sense, but I’d still expect a “Request permission” flow from the advertising agency side that then pings the authorised Adsense / Analytics / Workspace domain owner to hit OK before allowing the campaign. Or a proper OAuth flow if there’s incentive to be more cross-platform about it, actually.
Either way, some kind of delegation rather than just taking it on trust would definitely be standard practice here. Although I’m guessing there’s a fairly strong incentive to minimise friction in flows that explicitly make money, so even if there was never a smoking gun “don’t verify” decision made, there were probably guidelines and metrics about absolutely not adding additional clicks to the process…
It's entirely conceivable that it has this, but at the scale of an org like HP, it's literally just noise. Some unlucky middle manager in marketing has the job of clicking "yes" on the fifty new campaigns the subcontractors are starting today, and they absolutely are not going to do enough validation to see that today's batch is 49 real ads and a scam.
That's a good point actually, too many notifications can be almost as bad as too few in a situation like this.
Money. They pay money, Google sees money, Google accepts. The same goes for Facebook (Meta) and probably many others. They want money and they don't care if it's scam or if the message on the banner is true or not. I see it every single day and there is no sign of getting better.
This isn't really true. Metoogle very much want their ads to be trustworthy and of good quality because that makes more people click on them and clicks are worth way (WAY) more than views. Yes, it is ultimately all about money for them but getting a reputation for serving scammy shit is bad for the bottom line. The game of whack a mole with the bot powered armies of scammers is so fast moving that it makes it extraordinarily hard to effectively police though.
From my limited point of view all it takes is a person, real person, to review the ads before accepting them. I see scams on Facebook all the time, many times with the same headline - the same freakin' headline! Or they simply take fake identity... Any real person (who knows just a tiny bit about internet security - the person like me or other people here on Tildes) would identify this even if they were half-blind! But automated system is cheaper to run and it works to their liking - it accepts more ads that a real person would do, part of it is it accepts scam as well as normal ads.
The credibility you are talking about is surely important for them, but let's face it - Google and Meta (and possibly others) have absolute domination, they get all the clicks anyway, they don't care about being 100% trustworthy anymore, they don't need to, they already have their worldwide army of 100% hooked users. Money, it all starts and ends there for them.
Actually Incorrect. Quality of ad doesn't matter, dark patterns and scammy tactics work better at getting users to click ads. "Hot Milfs in your area" gets clicks, despite being fake.
Quality takes time and effort, something capitalists despise doing.
Yet more evidence that blocking ads is not just for convenience, but also important for security. If Google wants to continue their push to kill ad blockers they at least need to be protecting users from the malicious ads. Really they should be doing it either way, but it's even more important as they try to take away the tools to protect yourself. I don't really see them giving a shit unless they start being legally liable for promoting scams though.
I will give the scammers that this is a rather creative idea for a scam though. I never would've thought to leverage failed search results as a way to inject text. I originally thought this would be another URL burying scheme (like where you hide the real URL deep in a complex URL). Sadly it not being means it wouldn't be relevant for me to go into my "domain names are backward!" rant.
Please do elaborate, I’m intrigued :-)
Oh, this is an old complaint. URLs in general are least-to-most specific:
https¹://example.com²/path³/file.html⁴?query=param⁵#fragment⁶However, domain names are most-to-least specific:
sub.domain³.example².com¹.comis the top-level domain (TLD), and it's the most general part, as can be seen by the fact that it's present in the vast majority of domain names.examplein this example refers to the specific site, and is the most general level that a registrant can register. (Modulo handwaving about "brand" TLDs like.google, which are mostly a bad idea, and multi-part TLDs like.co.uk, which are also mostly a bad idea, but for very different reasons.) This is called the "second-level domain", which is not at all confusing for domains under e.g..co.uk.subanddomainare subdomains, which are under the complete control of the registrant. In principle you can do whatever you want with subdomains under a domain you control, but in practice, they pretty much always continue the most-to-least specific pattern of subdomain/2LD/TLD.This major component being in reverse order of the greater structure in which it is embedded is definitely inconsistent, and… plausibly?… confusing, but at this point it's been that way for literally more than thirty years and isn't going anywhere.
Interestingly, you can see the other order in e.g. some programming languages; the fully-qualified class name of Apache Commons's
OrderedMapisorg.apache.commons.collections4.OrderedMap, which is least-to-most specific and starts with the TLDorg. (Note that the FQCN prefix isn't actually a domain name, so it's not literally the TLDorg, but putting your packages under your organization's primary domain name in reverse component order is a nigh-universal convention.)Exactly this, although my rant would include that it being confusing is the source of security problems. Humans don't do great at immediately finding the real right spot even if they know it. "Last period before the first character that is either a forward slash or question mark" isn't intuitive in the first place.
A super basic example is that https://help.amazon.com.this-a-long-subdomain-trying-to-hide-that-this-is-actually.malice.zip/more-stuff/to-hide-the?real=domain doesn't work when reversed because it would've started with https://zip.malice rather than https://com.amazon.
I occasionally get spam messages from PayPal due to this sort of field injection. Someone requests money from your email address, puts a fake business name and an invoice amount, so PayPal happily sends you an email saying "Creative Business Innovations LLC is requesting $1207.32." Which most people will be suspicious of, because they probably didn't drop a thousand dollars at an unfamiliar company.
What the scammer does next is populate the message field with something like this:
The phone number, of course, is the scammer.
The giveaway of how it works is there's bold text saying "Note from {business name}:" before that message. But people gloss over it, and connect the common pattern of text about calling a number to resolve something to the authenticity of the sender.