Big Tech's role in enabling link fraud – take 2 (eligrey.com)
I posted an earlier draft of this article to Hacker News 4 months ago which was well received [1], but it didn't garner much discussion around the core issue.
Dialog around link fraud complacency was likely sidetracked due to a lack of real-world examples to better illustrate the technical problem at hand. To better illustrate the issue, I've added an examples section citing over 20 cases of link fraud on Google Search, Bing, and X.
I hope that this thread can spark a meaningful dialog around law and security as it pertains to Big Tech's role in enabling link fraud. Society can overcome this issue through concerted efforts to raise awareness and enforce existing legislation.
54 comments
[ 3.7 ms ] story [ 101 ms ] threadDo you not like typo domains? Ads? URL shorteners? What do you want "Big Tech" to solve for you?
For what its worth at least some of your examples have simpler explanations like a user being confused that a website can both be the first search result and a sponsored link at the same time.
Let's say I've built a version of Firefox that sends your cookies back to me, and now I want to distribute it. I can set up a phishing page, then buy an ad on Google that shows https://www.mozilla.org/firefox/ instead of my URL.
This has already happened with GIMP [1], and I suppose many other opensource / freeware apps, too. This is just one example of an attack this “feature” makes possible.
[1]: https://www.bleepingcomputer.com/news/security/google-ad-for...
When following a link that did claim to go somwhere, but then does not, add a warning page?
Then feed those cases to some cetral database to blame the worst offenders for bad publicity.
Getting the big ad networks to behave won't solve the problem only reduce it. Only local mechanisms can avoid it.
These ad networks are playing the victim by tying their hands behind their back and refusing to do anything about the issue that they created. They all support link spoofing while simultaneously declaring policies that they don't effectively enforce.
As a result, I believe that these advertisers are effectively complicit with the fraudsters that "abuse" them.
The fact they don’t is clear evidence they prioritize their own profits over the harm they directly cause. A fact that should surprise no one.
This continues to be a problem; from the article, see eg this ad for Bitwarden:
https://x.com/KarlEmilNikka/status/1792554054893072672
Google allows the attacker to target navigational queries (in this case, bitwarden) and display "www.bitwarden.com" as the link text on a link that does not actually go to www.bitwarden.com .
The root cause is Google are parasites that (1) monetize navigation / install queries; and (2) force you to buy ads on your own company's name [1]. This opens the gate to attacks like the above, which they also don't effectively police.
[1] https://nymag.com/intelligencer/2019/03/why-businesses-have-...
More than that, you have to be ever vigilant, which is not a resonable expectation for anyone. It only takes one lapse at the wrong moment.
A related point is also that the web itself is losing its diversity. Whatever happened to the small dude's wordpress blog, why are they no longer turning up in the search results as much as reddit, quora, etc? What happened to the IRC, news letters, bulletin boards and forums (phpBB), etc? No doubt some of these sites are also thriving on the backend somewhere but Google's step-motherly treatment towards them in the results is surely hurting the web's diversity.
We will never get that Web back. That innocence, naivety, hope and shared and private space is long lost.
Both prove that it is very much possible to come up with better rankings than Google do.
Googles problem very much seems to be that quote by Upton Sinclair that “It is difficult to get a man to understand something, when his salary depends on his not understanding it.”
search.marginalia.nu and kagi.com have nothing to gain by sending people to websites that result in ad impressions for Google so for them it is a whole lot easier to rank fairly.
Also without this incentive it turns out that the feature everyone asked Google for - personalized blocklists - wasn't as impossible as googlers have told us over the years.
I've been trying out https://www.mojeek.com/ recently. I mostly like it, but haven't made it my primary habit to use it first before duckduckgo.
I'm avoiding kagi for various reasons.
Because they might contain "fake news" and are thus too problematic to show to you. And of course, they don't make any profit for Google since those kinds of sites are largely ad-free.
The sites are of course still out there, Google et al. just don't want to show them to you.
The language about how the tech companies are complicit, have a negative effect on society etc is dramatic. I think more focus on the mechanics of the fraud and how it works and less ideology would make the piece more credible. If the article makes it very clear how companies are screwing up, the reader will make those judgments on their own.
Often it's more like youtue.com, something the user is unlikely to notice as a slight deviation from the expected URL
I do also see the occasional Bitcoin links and other linkspam on IG as well.
Edit: Dear downvoters, is this a threat to your precious growth hack, or?
If Meta's advertising network does not enforce domain ownership verification, then it is fundamentally vulnerable to the same problem described on this blog post.
Sampled URL resolution cannot prove anything about a URL.
Reminder for adtech company employees in this thread: If you suspect a crime has taken place (e.g. if you have seen internal documentation showing that potential profit outweighed the security benefit of actually enforcing a policy), you can blow the whistle to regulators.
THe problem is, allegedly, that ad platforms allow displaying on their ad a domain they don't own. For example, you can have ad that displays the link text "mozilla.org" while the link actually directs to "scam-mozilla.org"
Names are notoriously a weak spot when it comes to software. So many attacks converge on tampering with the referential integrity of names. It has been a problem for decades.
Trust, by contrast, is a deeply human thing. We have been deciding who to trust and who not to for millennia. Those instincts though, they don't work for domain names. They work for humans, and a domain name is a lousy proxy for a trustworthy human.
So these "vanity URLs", or "link fraud" as the author puts it, are a reminder that defending the trustworthiness of a domain name is a rather awkward position to be in. And I'm proposing that we find a different position to defend, rather than digging in where we are.
ICANN domain names are one of the rare type of names that are actually globally uniquely assigned.
Your point about trademarks is also valid.
In the end EV certs only pushed the name verification issue from one protection racket (ICANN) to another protection racket (EV certs providers) without actually providing much additional security. I'm glad that they are gone.
Looking at the examples this reminds me of the domain name "industry"; most recently, ICANN's "new gTLDs".
For example, eligrey.com includes an example showing that someone is running Trader Joes ads on Google but the advertiser isn't Trader Joes. The intentional design of Google's Search Ad system allows the ad to appear as if it has been purchased by Trader Joes.
This is how ICANN drummed up "business" that would otherwise not exist. Let's say ACME Company has not paid ICANN money for a domain name or gTLD; it has no interest. ICANN then asks, "Who wants to register a domain name that is confusingly similar to ACME Company?" ICANN knows the internet is full of low lifes who will readily carry out such scams. These are ICANN's customers. This is turn puts pressure on ACME to respond. They may pay an ICANN-approved registry for a domain name. Or they might pay some third party ICANN-approved "UDRP provider" to address the problem. Perhaps ICANN takes a cut of the registry or UDRP fees. None of these payments were necessary until ICANN decided to facilitate scams.
It's also how Google drums up "business" for its ad sales racket. ACME may have no interest in purchasing Search ads. But Google knows the internet is full of SEO and adtech scammers. These are its customers. This in turn puts pressure on ACME to respond. They may be more inclined pay Google for Search ads. If ACME Company is not interested in buying Google Search Ads then there should be no search ads for ACME. But that is not how the system is intentionally designed.
Most if not all of the so-called "tech" companies run this routine in some form. It is like a billboard that no one is interesting in using, so the billboard company fills it with something like "Your competitor's ad goes here". Nothing wrong with this in the real world except in the case of so-called "tech" companies the competitor is allowed to use your company's name on the billboard to make it appear you paid for the ad. The idea is that if no one is interested in paying to advertise on the billboard for offensive purposes, the billboard company believes it play on peoples' fears and pressure them to spend money defensively. In the case of so-called "tech" companies, there is no problem finding scammers who will pay. The internet is full of them.
Yes, Big Tech is "enabling link fraud". It generates revenue. It is intentional to allow it.
> It is like a billboard that no one is interesting in using, so the billboard company fills it with something like "Your competitor's ad goes here".
Here I disagree, that example is qualitatively different and would be totally legitimate if the competitor put a regular ad there.
Well, unless the billboard is on your company's building or something, then it might be misleading.
I suppose this is some kind of ploy to keep URL shorteners happy (they get link traffic from Twitter; Twitter users get to see what’s behind the shortener), but the result is unabashedly bad for the users as the true link target is hidden.
End-users might sue them too, but Google is more afraid of Disney suing them than random nobody
Google etc could very easily fix this but they just don't want to, likely because the scammers are bringin in a lot of money.
The problem here is that Google claims immunity on being a platform. "It's not use doing the trademark infringement, it's General-ScamCo"
And as it stands right now, US law is quite favourable to that defense. Even when in reality, it's obvious that advertising platforms are Publishers. That they not only make editorial decisions, but that making those decisions is the entire fucking point of them.