Yemeni Fact-Checking Network
This investigation reveals Facebook's involvement in approving advertisements for fake posts promoting services and applications containing malicious software that leads to the theft of user information. This goes beyond a single advertisement or a corrected mistake; it includes multiple ads that may have reached millions of users, with some of them continuing to be displayed for months.
If you live in the age of the amazing digital transformation with "artificial intelligence" technologies, you can imagine what it means to have a model 1800 times smarter than the GPT-4, or what a Gemini version, 2500 times smarter than each of GPT4+ Bing + Bard could mean; perhaps then the world's problems can be solved and time can be shortened. But what if this fantasy dream is just misleading information that ends with a dangerous virus that steals your information, possibly destroys your business projects, and turns you into a tool to harm others?
These facts are happening together on the largest social media platform in the world, which has about 3 billion monthly active users, according to the latest statistics provided by the company in February 2024.
More than three billion users on Facebook (Statia - Facebook)
This large number of users could mean that any of them may have fallen victim, as documented by the Yemeni Fact-Checking Network (YFCN.ORG) in recent weeks. Numerous deceptive and false advertisements have been identified, promoting posts with enticing phrases and false information about services and applications, particularly those related to artificial intelligence.
The paid posts documented by YFCN, through screenshots, included fake ads for popular software, such as an ad called ChatGPT Version 5, which cybercriminals claim is 1800 times smarter than the current model.
Screenshots show fake posts advertised on Facebook claiming to be for the chat-gpt-5 program (YFCN)
The Facebook ad library displayed five advertisements on the same page for the fake GPT-5 application, with the page having 553,000 followers as of March 9, 2024. This indicates that the ads reached hundreds of thousands of people, exposing them to purportedly fake products promoted by Facebook. As of the time of writing, these advertisements are still active on the same page.
A screenshot shows five fake ads bearing the name Chat GPT-5 (YFCN)
Some of the paid ads date back to November 2023, and despite reports that have led to some links being disabled and deleted, they are still displayed on Facebook, which indicates that the platform has not taken any action against their publishers or closed the pages.
The information we have gathered also reveals that some of the pages where the ads are being advertised belong to other products, which explains that some of them were originally hacked and the hackers changed their names and advertised malware on them.
The ads also included "Gemini Pro" or "Gemini Ultra", the artificial intelligence model of Google, where advertisers provide false and mythical information about the capabilities of the model, to urge the user to access the link attached to the ad on Facebook.
Screenshots Showing Fake Posts Advertised on Facebook (YFCN.ORG)
One of these misleading claims is that the application that will be downloaded from the link includes a version 2500 times smarter than each of the models ChatGPT4, Bing AI, and Bard (Google's previous model), although more than a month and a half has passed, the post continues on the sites.
The deceptive ads, which share some similar characteristics, continue, as the fact-checking network documented in March 2024 ads for artificial intelligence applications and others, all of which are files containing malware.
Fake Posts Advertised on Facebook
Malware, Not Services!
Opening the links placed in the ads, the site asks the user to download a compressed file protected by a password, and the compressed file contains a setup installation file, presented as the way to access the application advertised, but in fact, and once examined by an antivirus program, it turns out that it contains malware that damages the computer when installed, and the user's confidential information can be stolen or their device can be used as a Trojan horse for activities against other devices.
Fake Files
Yemeni fact-checking network experts say that cybercriminals or those behind these ads and malware put the installation file inside a compressed RAR file protected by a password, so that they can bypass some file scanning tools, which may immediately reveal that the file is infected.
Scan Results and Trojan Horses
On Avast Anti-Virus, the scan showed two types of malware or threats:
Screenshot from Avast Antivirus Software (YFCN)
Script:SNH-gen[TR]
Other:malware-gen[TR]
In addition, YFCN.ORG performed another scan of the file on the Kaspersky website, which confirmed that the file contains two types of malware:
Trojan-Dropper.OLE2.Agent.sb
HEUR:Trojan.Script.Generic
As shown in the scan results of three files advertised for different programs: result one, result two, result three.
Screenshot Showing File Scan Results on Kaspersky Website (YFCN)
The first type was identified by: Trojan-Dropper.OLE2.Agent.sb
Where Trojan-Dropper programs are designed to install covert malware embedded in their code on victims' devices. This type of malware, according to Kaspersky, usually saves a set of files on the victim's disk (usually in the Windows directory, Windows system directory, temporary directory, etc.), and runs them without any notification (or with a fake error message about the archive, expired OS version, etc.).
The other detection is through: HEUR:Trojan.Script.Generic
The "Trojan" part indicates that the malware is considered a Trojan, which is a type of malware that impersonates a legitimate program to carry out its malicious activities. The "Script" part indicates that the malware relies on scripts or code to perform its malicious actions.
In general, the viruses referred to are part of what is known as "Trojan horses", taken from the famous Greek novel, and this type is currently "the most common type of malware used to open backdoors, control the affected device, display and send user data to the attacker, download and run other malware on the affected system, and many other malicious purposes," according to the short definition provided by the website eset.
By reviewing Facebook ad library, it appeared that the pages used in the ads are run by people from multiple countries, including Vietnam, Egypt, Indonesia, and the United States. But it is not unlikely that hackers are using virtual networks.
Facebook Ads Library
Facebook's Automatic Review
Facebook's policies state that the site uses "automatic review" for ads and "in some cases, manual review." The "ad review system" also "relies primarily on automated tools to verify that ads and business assets comply" with the platform's (i.e., Facebook's) policies.
Facebook explains that the "ad review system" "reviews ads for violations of any of our (Facebook's) policies," and "this review process may include specific ad components, such as images, videos, text, and targeting information, as well as the landing page associated with the ad or other destinations, among other information."
If advertisers of malicious or non-compliant files put them in compressed files protected by a password, it is likely that the automatic scanning tools will fail to detect them. This is a major failure of the mechanisms used to approve ads, which does not relate to limited violations, but rather to malicious spyware files that can cause immeasurable damage to people who are exposed to ads that appear to be services or products that achieve the impossible for users, but are actually malware that not only harms the user, but also turns the related Trojan horses into a platform for targeting others.
Even if we accept that hackers have exploited "automatic review" to spread malicious and dangerous content on Facebook, it is not justified that the links to these files remain visible for days, weeks, and months. This is nothing but another failure in the mechanisms for scanning and tracking threats on the platform.
إعلانات منذ شهور
Recommendations and Tips
The Yemeni Fact-Checking Network calls on all users of the social media platform Facebook to avoid misleading ads, especially those containing suspicious and unknown links, and to hold Facebook accountable for this failure.
How to reduce risks on Facebook and other social media sites?
There are many ways to protect yourself on the web, the Yemeni fact-checking network lists the most important ones as follows:
- Check the link before clicking. If it is not the main link of the company that owns the ad, avoid entering it.
- Use an antivirus program, especially on the desktop. Paid programs usually provide broader protection, but there are programs that provide the minimum level of protection required, such as the free version of Avast.
- Always keep your antivirus programs and all applications up to date.
- If you feel that your device is facing problems with slowness, updating, and others, do not hesitate to show it to a specialist to review the installed applications.
- Always review the add-ons in browsers like Chrome, Edge, and Firefox, and delete anything you don't need. The same applies to any application installed on the desktop or on the phone.
- There are free tools that can do a quick scan of the computer, such as Malwarebytes AdwCleaner, a tool that is no more than 10 megabytes in size and can be downloaded to scan the computer quickly and delete suspicious tools.
Original text of the investigation in Arabic, translated with the help of artificial intelligence Gemini and ChatGPT
