But Facebook says its system catches offenders quickly.
Adverts are dangerous. Although that banner plastered across a site may look innocuous enough, it might redirect to a malicious webpage, designed to automatically hack your computer.
But one researcher says it is trivially easy to create an advert on Facebook that appears to link to a legitimate site, such as, say, CNN.com, but in fact leads somewhere else entirely. The worry is that hackers could send users to malicious pages if the adverts are clicked, though Facebook says its anti-fraud systems quickly disable offending accounts.
"The fake advert only took me 5 minutes as I already had an advertising account," Justin Seitz, a researcher and creator of open source intelligence tools told Motherboard in an email. "They have a really quick approval process."
Seitz first saw an advert on his Facebook that indicated it was from ctvnews.ca. But when he clicked it, he landed on what looked more like ESPN. The page had the obviously dodgy domain "espn.l1dh.com," and was littered with adverts for supplements.
Seitz then dug through his web history that he had recorded with his tool, Hunchly. (Hunchly stores a local archive of every page visited while it is activated, which may be useful for researchers carrying out an online investigation.) Sure enough, there was another advert that claimed to link to one site, but directed through to another.
"I did not fully investigate all of the ads that I had captured in the tool but I am sure there will be others," Seitz added. One of the adverts had been clicked over 25,000 times, judging by the Google analytics data of its shortened URL.
Where it gets more interesting is just how easy it may be to create one of these spoofed adverts, at least according to Seitz. Within minutes, he had made his own.
Of course, the real issue is that wherever the advert takes a user to might be loaded with malicious content, ready to infect their machine with ransomware, for example.
"Our ad review process includes sophisticated detection systems that are constantly evolving to identify and block campaigns that try to use cloaking," a Facebook spokesperson told Motherboard. "When we detect an advertiser using this method, we promptly disable their account and block related URLs to prevent them from running any future campaigns."