Facebook Cloaking – A bygone Black Hat Strategy?

The internet is full of people trying to make a quick buck. And in a place where the rules are often nebulous and difficult to enforce, it’s not surprising that they’re often broken. 

Recently, we reviewed the concepts of doorway pages and SEO cloaking

SEO cloaking is a system by which unscrupulous users can differentiate between Google’s web crawler and real traffic. The bad actor then serves a site optimized for SEO to the crawler and a spam site to the real users. 

With this technique, one can place highly in the ranking and at the same time use very spammy strategies (that Google’s web crawler would likely punish).

Read more about SEO cloaking and doorway pages here

Facebook cloaking is similar to a certain extent – but it differs in significant ways as well. Importantly, instead of trying to trick search engine crawlers in order to get a high ranking, it tries to trick ad verifiers at Facebook

With Facebook, your ad is already being served to the exact audience that you want to see it, so there is no need to use cloaking to optimize placement. Facebook cloaking exists only to avoid getting caught advertising something you shouldn’t be advertising.

Why cloak?

Before going any further you might ask why, exactly, would someone be willing to risk the trouble they could get in by cloaking on Facebook. We can find the answer in Facebook’s advertising policies

Facebook is excellent for targeting the exact demographics that you want to see your ad. Practically no other advertising company on the market has such a wealth of information on potential customers. But Facebook has its downsides.

Namely, Facebook’s constant worry about user experience results in it not allowing many aggressive advertising styles.

Further, there is a relatively long list of things that one isn’t allowed to advertise on Facebook at all. So plenty of companies and sellers are left out and can’t take advantage of this incredible targeting system. 

Here are some of the things one isn’t allowed to advertise on Facebook

  1. Tobacco and tobacco-related products
  2. Drugs and drug-related products
  3. Many kinds of supplements
  4. Weapons, ammunition, and the like
  5. Adult products and services
  6. Adult content
  7. Surveillance equipment
  8. Payday or short-term loans

There are also a number of restricted products such as alcohol, dating services, gambling, and online pharmacies

You can read more about Facebook’s advertising policies here

So if you are selling any of the above content or any of the other forbidden services mentioned in Facebook’s terms of service, then you’re outside the walled garden. And given Facebook’s incredible potential for advertisers, you might be willing to bend the rules a bit in order to get access to it! 

Indeed many do this, and many are caught and subsequently banned. 

Is cloaking legal?

As far as this author could find, Facebook cloaking isn’t in and of itself illegal. It is, however, a direct violation of Facebook’s Terms of Service and will, if discovered, result in a ban. 

And then if you try to open another advertising account after having already been banned one, then you’ll just be banned again upon discovery. 

So in this regard, cloaking is a very high-risk operation for anyone that has other, allowed products and services that they wish to advertise. With cloaking it’s one and done if you’re caught. 

And you probably will get caught given Facebook has been cracking down hard on people who use cloaking since 2017. 

Naturally, since the reward is huge, there are a lot of people willing to risk it.

How does Facebook cloaking work?

Facebook cloaking works in a similar fashion as SEO cloaking. Essentially, a server or cloaking service will show one segment of visitors one page and the rest another.

With SEO cloaking, bad actors try to trick search engines into thinking that the content at the site is significantly different from what’s really there. The goal is to cheat the system to target better the people that they want to see their site.

With Facebook cloaking, they can already perfectly target the audiences that they want. The goal with cloaking here is simply to trick Facebook’s automated and manual checkers into believing that the site on the other end of their ad is in line with their rules.

This way, their ads can direct Facebook’s users to sites that use techniques or sell products that not allowed. 

How do they identify (identified) Facebook ad checkers?

Facebook is relatively secret about the tools that it uses to check whether or not a website or ad is in accordance with its rules. 

Bad actors, through a variety of nefarious means, build lists of IP addresses that have been associated with Facebook’s verification system. 

When the server detects an IP request originating from one of the known IP addresses, it serves a page of content that is 100% in line with Facebook’s Terms of Service. 

However, when a request comes from an IP address that isn’t on the list of known Facebook verifiers, it shows the real content – the content that Facebook would definitely forbid if it came across it. 

Now, Facebook’s verification system doesn’t seem to declare a specific, easily identifiable HTTP User Agent when visiting a site (as Googlebot and other search engine crawlers do). 

Therefore IP address sorting is really the only option available to cloaking fraudsters.

Facebook cloaking example

Now, let’s quickly look at an example from start to finish.

Say you have a supplement company. Your ads are consistently blocked on Facebook, and you’re just tired of it. In fact, you’re so tired of it that you’re willing to go to the dark side. 

So what happens?

Preparation

First, you create a fake account and a fake page and run a paid series of campaigns to build up the number of likes and also to get some good page reviews.

These first campaigns are totally by the book. If your site and ads get inspected, they all pass with flying colors. 

Once you have a relatively long history, a collection of good reviews (which you’d most likely buy), and a spotless record with Facebook’s ad inspection team, you can finally try your hand at cloaking.

Here the stakes can get high. You spent all of this time, effort, and money on building a clean front. If you mess up, all that is wasted and, worse, you’re now flagged by Facebook’s compliance team.

So you’d have to be very careful at this stage – you’re no longer a law-abiding citizen, but a wanted cloaking criminal. 

Cloaking is a very complicated technological task. You need to identify Facebook’s verifiers, create an exhaustive list of their IP addresses, constantly update it, and sort incoming IPs in a fast and effective manner. 

This part of cloaking process is technically complicated. Since many cloakers aren’t programmers, they simply use cloaking services rather than implementing a system themselves. It’s simply more cost-effective. 

If the cloaker does build his own system, he’ll still likely outsource the truly difficult part. That is, the collection and maintenance of a list of Facebook verifier IP addresses). 

Launch

Once you’ve implemented the system, you might not turn it on right away. You’ll let a campaign run with a simple, rule-abiding page and then later switch the actual sorting system on.

Once the sorting system is working, all you can do is hope that it functions properly. 

Facebooke verifiers to the clean page. 

Real users to the real page.

It is highly likely that you will be caught eventually (either by their advanced anti-cloaking systems or by user complaints). Because they’re running on borrowed time, most cloakers use extremely aggressive advertising styles to maximize returns while they can..

It’s not just Facebook

Google’s primary problem is SEO-related cloaking techniques (discussed in-depth here), but they also suffer from advertising cloaking. 

Just like Facebook, Google has a relatively strict policy insofar as what techniques advertisers can use and what products they are allowed to advertise in what channels. 

QUOTE You can read AdWords Guidelines here. 

As with Facebook, Google provides very targeted access to potential customers. In fact, it’s so targeted and effective that, along with Facebook, they completely dominate the market. This two-player market dominance is the reason online advertising is often considered a duopoly (though Amazon seems to be joining the fray).

That, combined with very aggressive advertising techniques or products with very high conversion rates (think weight loss, muscle building, and get rich quick scams) can be extremely productive. 

AdWords cloaking is an ancient problem for Google. In fact, it has been widely acknowledged since at least 2008.

Google, as one of the biggest companies in the entire world, has practically unlimited resources. And for some time now, they have been using those resources to build advanced anti-fraud systems. As with Facebook, if you get caught, they’ll delete your account.

You could even lose all access to Google’s advertising platform as an individual, meaning just by creating a new AdWords account you’re automatically at risk of being banned. 

Is it still possible?

Facebook, like Google, has been cracking down on cloakers for years. Why? Primarily due to the huge damage that they can cause to their brands. 

Say someone buys something on facebook and the experience is bad or the product is of low quality. The slighted customer is just as likely to blame Facebook as the actual seller for the bad experience. Because of this, he might avoid buying prodcuts advertisers on Facebook in the future. 

Why? Because the customer knows Facebook’s brand. And since Facebook was an intermediary in the exchange. Therefore, any negative experience with a Facebook advertiser reflects on Facebook directly.

As bad actors have become more advanced in their ways, so too has Facebook. Whereas once cloaking was relatively easy, once it became popular among spammers, Facebook dropped the hammer. Hard. 

Now they use multiple methods of verification that are significantly more effective than older tools. And, according to Facebook, they even have an advanced AI that can recognize patterns associated with cloaking. 

There are still cloaking services available and, as the reward is great, there is still a large number of bad actors out there trying to get around the system. 

But Facebook’s American userbase has been shrinking. So the company has become extra sensitive regarding anything that could make the user experience worse.

Just say no

Cloaking, be in on Google’s AdWords or Facebook, is not a simple system to implement, it’s high risk, it costs money, and it needs a lot of maintenance. Furthermore, it’s far from guaranteed to work. 

So, why not spend all that time, money, and effort on complying with the rules rather than trying to get around them? 

In the end, you will be found, and you will be banned.  

Conclusion

Cloaking is one of the more advanced fraud strategies that bad actors can use on Facebook, Google, and beyond.

It’s been a thorn in the side for both companies for years now and they both have a lot of experience dealing with the most advanced cloaking strategies.

What that means for most users is that cloaking is a bad long-term strategy if you actually have a brand to build or what to develop a good relationship with your clients.

But as a digital advertiser it is good to understand the tricks of the trade and why certain people use them despite the risk.


Mobinner is a high-performance Demand-Side Platform. Since 2017, we’ve been helping customers build brands, acquire users, and drive conversions. See what Mobinner can do for you.



Leave a Reply

Your email address will not be published. Required fields are marked *