This happened with me when I went to download the openai app on the google play store. The top, advertised result for the in store search was an advertisement fake app with an icon almost identical to the real thing. It had thousands of (botted) reviews so looked legitimate and I installed it. I'm a programmer / lifelong techie but I just didn't expect this could happen in this day and age. I felt silly but also kind of angry.

This is basically encouraged by the Apple Appstore and Playstore because they sell those spots for money, and it's an obviously easy way to make an app that will generate revenue for the scammer and the store.

It will be hard to proof this in court. But it should be easy to show, that they are not doing enough to prevent it, when even the popular apps have fake clones shown on top.

For take 3 consider explaining exactly what the issue is that you are upset about. This appears to be just a few generic definitions of what URL shorteners are and some links to a Twitter thread of random articles about URL spoofing.

Do you not like typo domains? Ads? URL shorteners? What do you want "Big Tech" to solve for you?

For what its worth at least some of your examples have simpler explanations like a user being confused that a website can both be the first search result and a sponsored link at the same time.

This isn't about URL shorteners at all. The issue is a particular “feature” of major ad platforms: in your ad, you can show a link on a domain that you don't own.

Let's say I've built a version of Firefox that sends your cookies back to me, and now I want to distribute it. I can set up a phishing page, then buy an ad on Google that shows https://www.mozilla.org/firefox/ instead of my URL.

This has already happened with GIMP [1], and I suppose many other opensource / freeware apps, too. This is just one example of an attack this “feature” makes possible.

[1]: https://www.bleepingcomputer.com/news/security/google-ad-for...

Thanks for stating it clearly. I read the article quite long way and didn't get it.

Agree, the original article could benefit from a concrete "explain like I'm five" example.

While advertizers are abusing some mechanism, isn't the underlying issue that browsers allow that to happen?

When following a link that did claim to go somwhere, but then does not, add a warning page?

Then feed those cases to some cetral database to blame the worst offenders for bad publicity.

Getting the big ad networks to behave won't solve the problem only reduce it. Only local mechanisms can avoid it.

Here we are not talking about a « real hyperlink ». Ads are just showing the vanity URL, very much like they could show some text or image. Browser cannot protect users if they click on something that resembles a link without being one.

I would suggest putting a sentence like “google ads can show a trustworthy/trademarked url (such as YouTube.com) but if the user clicks, the link actually goes to evilscam.com” in the first paragraph. I didn’t understand that this might be what the article is about until clicking through to the examples and still felt uncertain about it until reading the comments here.

The language about how the tech companies are complicit, have a negative effect on society etc is dramatic. I think more focus on the mechanics of the fraud and how it works and less ideology would make the piece more credible. If the article makes it very clear how companies are screwing up, the reader will make those judgments on their own.

> but if the user clicks, the link actually goes to evilscam.com

Often it's more like youtue.com, something the user is unlikely to notice as a slight deviation from the expected URL

The first example provided explains the situation exactly - a link that google shows as going to gimp.org in fact takes the user to scam.com (or whatever). Is the "manipulative rhetoric" you're referring to an expectation that a reader actually read the article?

Are you referring to one of the many twitter links? I didn’t see that in the article itself.

When you search for an app, google will happily allow attackers to buy that result and direct mislabeled links to the attackers' site. A former ceo got his laptop owned that way trying to install Adobe Acrobat because he unfortunately trusted google and thought the first result for a search for Adobe Acrobat would be legit. I was quite annoyed about having to clean up his laptop but you have to be relatively sophisticated not to get taken in.

This continues to be a problem; from the article, see eg this ad for Bitwarden:

https://x.com/KarlEmilNikka/status/1792554054893072672

Google allows the attacker to target navigational queries (in this case, bitwarden) and display "www.bitwarden.com" as the link text on a link that does not actually go to www.bitwarden.com .

The root cause is Google are parasites that (1) monetize navigation / install queries; and (2) force you to buy ads on your own company's name [1]. This opens the gate to attacks like the above, which they also don't effectively police.

[1] https://nymag.com/intelligencer/2019/03/why-businesses-have-...

> you have to be relatively sophisticated not to get taken in

More than that, you have to be ever vigilant, which is not a resonable expectation for anyone. It only takes one lapse at the wrong moment.

Should searching for "legit software" and clicking on the first result which displays www.legitsoftware.com in it in fact take you to legitsoftware.com? You'd think so except Google likes money.

Not the OP but I think Google search has started losing its organic nature in the sense that the top results are slowly and steadily consolidating into a handful of social network domains (other big techs mostly).

A related point is also that the web itself is losing its diversity. Whatever happened to the small dude's wordpress blog, why are they no longer turning up in the search results as much as reddit, quora, etc? What happened to the IRC, news letters, bulletin boards and forums (phpBB), etc? No doubt some of these sites are also thriving on the backend somewhere but Google's step-motherly treatment towards them in the results is surely hurting the web's diversity.

I think the sheer volume of "recent" content happens on those platforms absolutely dwarfs anything that anyone creates on their own time and private platform. For every 1 person writing their thoughts or findings on a blog, you have maybe 10 Thousand people making low-effort FB, Reddit, Instagram, TikTok postings. These people might as well be low-IQ "bots" and the platforms love them because they drive engagement, eyeballs, clickbait, rage and controversy.

We will never get that Web back. That innocence, naivety, hope and shared and private space is long lost.

Try search.marginalia.nu (free) or kagi.com (paid).

Both prove that it is very much possible to come up with better rankings than Google do.

Googles problem very much seems to be that quote by Upton Sinclair that “It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

search.marginalia.nu and kagi.com have nothing to gain by sending people to websites that result in ad impressions for Google so for them it is a whole lot easier to rank fairly.

Also without this incentive it turns out that the feature everyone asked Google for - personalized blocklists - wasn't as impossible as googlers have told us over the years.

I didn't know about Marginalia, thanks!

I've been trying out https://www.mojeek.com/ recently. I mostly like it, but haven't made it my primary habit to use it first before duckduckgo.

I'm avoiding kagi for various reasons.

https://wiby.me/ is also a good search engine for (re-)discovering the alternate (or rather original) web.

> why are they no longer turning up in the search results as much as reddit, quora, etc?

Because they might contain "fake news" and are thus too problematic to show to you. And of course, they don't make any profit for Google since those kinds of sites are largely ad-free.

The sites are of course still out there, Google et al. just don't want to show them to you.

The key issue brought up in my article is that ad networks are choosing to allow advertisers to defraud the public.

These ad networks are playing the victim by tying their hands behind their back and refusing to do anything about the issue that they created. They all support link spoofing while simultaneously declaring policies that they don't effectively enforce.

As a result, I believe that these advertisers are effectively complicit with the fraudsters that "abuse" them.

You are correct and they absolutely are complicit. They have a fool-proof solution they refuse to implement: remove the feature until they can solve the problem another way.

The fact they don’t is clear evidence they prioritize their own profits over the harm they directly cause. A fact that should surprise no one.

This is why ad blockers are absolutely essential, and any browser vendor that says otherwise should be avoided at all costs.

I work for Meta. Do you have any examples of this on Meta platforms? (Facebook/Instagram?)

I haven't been able to confirm with any certainty that Meta enforces domain ownership verification but I would love to see a confirmation that Meta does indeed do this or plans to do so in the future.

If Meta's advertising network does not enforce domain ownership verification, then it is fundamentally vulnerable to the same problem described on this blog post.

Sampled URL resolution cannot prove anything about a URL.

rsweeney21: give this man some test ad credits

I'd rather Meta just clearly stated if they require domain ownership verification when spoofing links. Lack of this (or similarly effective) protection mechanism enables automated link fraud.

Reminder for adtech company employees in this thread: If you suspect a crime has taken place (e.g. if you have seen internal documentation showing that potential profit outweighed the security benefit of actually enforcing a policy), you can blow the whistle to regulators.

The person you were replying to probably does not know the answer. They can probably route you to the right person once you know though.

Maybe have them look at how many "Breastfeeding" videos I get on FB. Seriously, I hardly ever log-in anymore, but when I do and no matter how much I report or "hide" that content, I keep getting it. It looks to be link/page farms from Asia and India that create them with generic sounding names.

You're being downvoted because your complaint is unrelated to the post topic. It's about scam ads masquerading as linked to trusted domains (an ad that shows it links to "adobe.com", but actually takes you to scamsite.com when you click it).

Why don't the affected brands - who are being hurt by this - sue Google?

End-users might sue them too, but Google is more afraid of Disney suing them than random nobody

The affected brands don't care that much. The individual falling for the scam is the victim. They might get angry at the brand, but at the same time they understand that they actually got scammed by someone else.

Google etc could very easily fix this but they just don't want to, likely because the scammers are bringin in a lot of money.

It's a questionable lawsuit.

The problem here is that Google claims immunity on being a platform. "It's not use doing the trademark infringement, it's General-ScamCo"

And as it stands right now, US law is quite favourable to that defense. Even when in reality, it's obvious that advertising platforms are Publishers. That they not only make editorial decisions, but that making those decisions is the entire fucking point of them.

Besides the content of the ads, Google also chooses to place them in front of the search results and style them so that they are barely distinguishable from genuine results. They are also clearly profiting from this.

One of the tweets (https://x.com/obtusatum/status/1755182704809635980?s=46&t=Gx...) suggests one way this can happen: a fraudster sets up a server which returns a 302 for the Twitterbot user agent to an innocent domain (here, amazon.com), but directly shows malicious content for other user agents. For whatever reason, Twitter decides that the 302 target domain should be used for the preview, but clicking on the link goes to the original site.

I suppose this is some kind of ploy to keep URL shorteners happy (they get link traffic from Twitter; Twitter users get to see what’s behind the shortener), but the result is unabashedly bad for the users as the true link target is hidden.

"To better illustrate the issue, I've added an examples section citing over 20 cases of link fraud on Google Search, Bing and X."

Looking at the examples this reminds me of the domain name "industry"; most recently, ICANN's "new gTLDs".

For example, eligrey.com includes an example showing that someone is running Trader Joes ads on Google but the advertiser isn't Trader Joes. The intentional design of Google's Search Ad system allows the ad to appear as if it has been purchased by Trader Joes.

This is how ICANN drummed up "business" that would otherwise not exist. Let's say ACME Company has not paid ICANN money for a domain name or gTLD; it has no interest. ICANN then asks, "Who wants to register a domain name that is confusingly similar to ACME Company?" ICANN knows the internet is full of low lifes who will readily carry out such scams. These are ICANN's customers. This is turn puts pressure on ACME to respond. They may pay an ICANN-approved registry for a domain name. Or they might pay some third party ICANN-approved "UDRP provider" to address the problem. Perhaps ICANN takes a cut of the registry or UDRP fees. None of these payments were necessary until ICANN decided to facilitate scams.

It's also how Google drums up "business" for its ad sales racket. ACME may have no interest in purchasing Search ads. But Google knows the internet is full of SEO and adtech scammers. These are its customers. This in turn puts pressure on ACME to respond. They may be more inclined pay Google for Search ads. If ACME Company is not interested in buying Google Search Ads then there should be no search ads for ACME. But that is not how the system is intentionally designed.

Most if not all of the so-called "tech" companies run this routine in some form. It is like a billboard that no one is interesting in using, so the billboard company fills it with something like "Your competitor's ad goes here". Nothing wrong with this in the real world except in the case of so-called "tech" companies the competitor is allowed to use your company's name on the billboard to make it appear you paid for the ad. The idea is that if no one is interested in paying to advertise on the billboard for offensive purposes, the billboard company believes it play on peoples' fears and pressure them to spend money defensively. In the case of so-called "tech" companies, there is no problem finding scammers who will pay. The internet is full of them.

Yes, Big Tech is "enabling link fraud". It generates revenue. It is intentional to allow it.

Or in a word: Extortion. "Pay us money to rent our asset, or else our policy of willful neglect will allow criminals to rent the asset and use it to harm you."

> It is like a billboard that no one is interesting in using, so the billboard company fills it with something like "Your competitor's ad goes here".

Here I disagree, that example is qualitatively different and would be totally legitimate if the competitor put a regular ad there.

Well, unless the billboard is on your company's building or something, then it might be misleading.

I was disgusted today when I attempted to go to The Met, and the first result on google. was a pretty scummy attempt by a for-profit museum to imitate it.

It's so weird that we ended up with a system that converges whether or not the server's name is trustworthy. Who cares about server names? Better would be if you configured your browser to trust data based on which people had signed that data.

That is not the issue stated here (looking at the comments, not at the article itself which is very unclear).

THe problem is, allegedly, that ad platforms allow displaying on their ad a domain they don't own. For example, you can have ad that displays the link text "mozilla.org" while the link actually directs to "scam-mozilla.org"

But why would anybody want to do that? It's because the domain name they're displaying is more trustworthy than the one they're actually directing you to. So you gotta ask: How hard should we work to defend the trustworthiness of domain names? The author thinks we should work harder.

Names are notoriously a weak spot when it comes to software. So many attacks converge on tampering with the referential integrity of names. It has been a problem for decades.

Trust, by contrast, is a deeply human thing. We have been deciding who to trust and who not to for millennia. Those instincts though, they don't work for domain names. They work for humans, and a domain name is a lousy proxy for a trustworthy human.

So these "vanity URLs", or "link fraud" as the author puts it, are a reminder that defending the trustworthiness of a domain name is a rather awkward position to be in. And I'm proposing that we find a different position to defend, rather than digging in where we are.

Google removed the match between legal entities and public keys when they removed EV display from chrome. EV had issues, but Google chose to completely remove the idea of verification rather than address them.

EV was never really good for anything because names aren't unique. The Beatles' record label is called Apple. So is a large tech company. Either of them could get an EV cert that says "Apple" on it. You can form a brand new entity that has the same name as an existing one. Trademarks are specific to the region and industry. Many individuals have the same first, middle and last name as another person.

ICANN domain names are one of the rare type of names that are actually globally uniquely assigned.

Yes, naming conflicts within the United States where multiple companies can register the same name in different states are one of the issues I mentioned that Google did not address.

Your point about trademarks is also valid.

There is also the point that people fooled by app1e.com will also be fooled by some similarily creative company name hack. And that's even before realizing that there are legit companies whose name has little to do with the brands customers know.

In the end EV certs only pushed the name verification issue from one protection racket (ICANN) to another protection racket (EV certs providers) without actually providing much additional security. I'm glad that they are gone.

It's more likely www.apple.com.shop/buy-mac/macbook-pro. And yes, DNS is much harder for regular people to understand than company names.