March 17, 2025
JAKARTA – Meta has been approving advertisements posing as news articles of legitimate local and international media outlets, which cybersecurity experts say could lead to cybercrime.
The ads typically involve sensationalist make-believe headlines as clickbait, which, in the least worrying consequence could lead to misinformation but may even expose users to financial crime.
In the latest case, The Jakarta Post stumbled upon an advert containing the Post’s own logo and layout elements and depicting President Prabowo Subianto with a bruised left eye, along with the fake headline “He didn’t realize the camera was on” and a subtitle reading “Is this really the end of his career?”
“The tragic end of Prabowo Subianto. Morning news for all the people of Indonesia!” was the caption posted by the advertiser.
Meta Ad Library, a public portal that contains ad information posted on Meta’s platforms, detailed that the ad had been put up by what it claims to be an advertising agency called Raleigh Wolff, operating from Ukraine.
According to Ad Library, the ad has been online since March 5 on Instagram, Facebook and Messenger. It was also put up on Meta Audience Network, which is a collection of Meta’s partner mobile apps and websites that run ads.
The Post saw the ad on Facebook earlier this month and flagged it on the social media platform, reporting it as “impersonation”. However, it was still up on Sunday, though it had been down for a brief time in between.
The Post spotted at least one similar ad in the past on Facebook that was eventually removed.
Meta representatives ignored the Post’s inquiries.
Read also: Meta tests ads on Threads
The ad linked to a The Jakarta Post clone website, which, except for the jobdady.com domain in the URL and some differences in font and colors, looked strikingly similar to the real website at first glance.
The Post did not delve deeper into the clone website for fear of possible malware. The domain cannot be accessed directly when users just punch in jobdady.com, and it could only be accessed through a specific subdomain or hyperlink, which illustrates carefully placed access parameters.
Upon investigation, Pratama Persadha, founder and chairman of the Communication and Information System Security Research Center (CISSReC), said the URL pointed to a “typosquatting attack”, which is when someone, usually hackers, use a misspelled domain of a known website — in this case it was employment platform job-daddy.com.
Read also: ‘I think Indonesia’s cybersecurity is run by 14-year olds’: hackers
IBM Asia Pacific field chief technology officer Kaylan Madala told the Post on Thursday that “fraudsters are always looking for ways to make easy money online” and “one tactic they frequently use is taking advantage of the traffic of well-known websites”.
Madala said such fake content was generally created to conduct a form of spear phishing, which is a cyberattack using social engineering to trick victims into divulging sensitive data, downloading malware or sending money to an attacker.
“Like all phishing scams, spear phishing involves manipulating victims through fake stories and fraudulent scenarios. Spear phishing attacks can be conducted through email messages, text messages, chat apps or phone calls,” Madala explained.
In this latest case, the clone of the Post’s website also contained a fake “article” on a “DELETED INTERVIEW WITH PRABOWO SUBIANTO” that supposedly appeared in another Indonesian media outlet, complete with make-believe screenshots and photos.
The fake interview concluded with a call to action to invest through a cryptotrading platform, but the provided link only led to another clone website, this time of the trading platform, hosted under the same jobdady.com domain.
The domain had been registered since March last year and was set to expire on March 16, 2025, according to domain registrar and web hosting company GoDaddy. The mailing address was Reykjavik.
The trading platform website clone included fake testimonies of Prabowo, alongside Indonesian billionaire celebrities Raffi Ahmad and Deddy Corbuzier.
Pratama from CISSReC pointed out that the fake trading website contained potential scams and phishing attempts, in which unwitting users might divulge personal information that could be used for a range of cybercrimes.
“The other potential harm surely is misleading information that can hurt The Jakarta Post’s reputation, because, for sure, some people will think that the news is legitimate,” Pratama told the Post on Thursday.
The Post found similar ads with fake headlines posing as news from other media, namely the New York Post, the Wall Street Journal, detik.com and Tribunnews.
The one naming the New York Post and the Wall Street Journal was the same ad of different variations with a fake headline on Prince Harry, the Duke of Sussex, supposedly cheating on his wife Meghan Markle, put up by an India-based advertiser called My Blog.
The ad has been online since Dec. 26 and redirects to a website with the drivepedia.com domain but seems to contain just misinformation about the British royal family and no call to action on fraudulent investment.
The one impersonating Tribunnews has been online since March 9 and promises “Real proof of supernatural cash withdrawal of Syeh Muhammad Al Yusuf without sacrifice, risk or violating religious [rules]”. The Post did not investigate further due to the cybercrime risk.
The ad posing as one from detik.com has similar traits to the Post case, as it contains a picture of Energy and Mineral Resources Minister Bahlil Lahadalia with a black eye and a similar sensationalist fake headline.
However, this one ultimately connected to a real detik.com subdomain, albeit to an uncorrelated story on potato-based cooking recipes.
Pratama pointed out that, before redirecting to the legit webpage, clicking the ad sends users to the plinoviaht.digital domain first, in which case the domain owner would get click counts that could generate income from click-based ad fees.
“Such [fake ad] strategies work, especially in Indonesia and also in some developing countries with low levels of digital literacy. But the willingness to get bombastic information will make them victims of cyberattacks,” said Pratama.