 Growing up as title when I announce it. All right, next up we have false advertising. How modern ad platforms can be used for targeted exploitation? Please give Tyler Cook a warm Torcon welcome. All right, so I knew you had it in you. You got that great. The title's awesome. All right, so this is false advertising. And my name is Tyler Cook. I'm a digital advertiser. I work with Fortune 500 companies for a corporation called HZ out in Maryland. I'm very interested in cybersecurity and pen testing strictly from a hobby's perspective. And I use Python, Node, and PHP on a pretty much daily basis for my job. I'm really bad at designing PowerPoint presentations. This is as good as it's going to get, guys. It's not getting any better than this. And I'm also terrible at writing author bios, so that one right there. Yep, that's me. So what is a targeted attack? Well, in this case, I'm going to be teaching you how to turn ad platforms into a spearfishing campaign. So you can target whoever you want, wherever you want, on any device that you want, no matter when they're browsing. I'm also going to be teaching you about the security measures that those ad platforms have in place and how to bypass them. But unfortunately, before we begin, I need to cover some terminology. So I'm going to guess that no one else in this room also does marketing for Fortune 500 companies. So there's probably a lot of terms here that you're unfamiliar with. But that's OK. I'm going to get you up to speed as quick as I can. So an ad network. An ad network is a platform that lets you show ads through a specific service. In this case, it might be Facebook, it might be Twitter, YouTube, or LinkedIn. Now with each one of these ad platforms, there's going to be a form of pricing involved. And these prices usually come in one of three forms. That's called CPM. It's called CPC, or called CPA. CPM stands for cost per milli, or the cost for 1,000 people to see an ad. The cost per click, or CPC, is the cost for someone to click your ad. And the cost per action is the cost for someone to take action after viewing your ad. With every ad that's placed on a network, there's something called a click-through rate. So if two people click your ads after seeing it, after 100 people have seen it, it's a 2% click-through rate. And every ad network that is relatively modern is going to have something like a custom audience. They may have a different name for it, but by and large, you can Google whatever ad network and custom audience with it, and it will come up with a how-to on that platform to how to use a custom audience. But what a custom audience is, is an advertiser-generated list of users. This list will contain users' phone numbers or email addresses, and the ads will only be shown to users on that list. And each ad network will have a different requirement for the makeup of that list. So why social ad networks? When we're talking about modern ad networks, we tend to talk about social ad networks as the forefront from an advertiser's perspective. And that's because 70% of Americans log on to Facebook daily. 79% of all internet users and 69% of American adults use Facebook. And globally, people spend 50 minutes on social media every day. That's a ton of time. So on that time where they're browsing, surfing, looking at cat videos, they're gonna see a lot of ads, right? And a lot of times, people are gonna ignore those ads, but out of all of those ads, some people are gonna click them because they resonate with them. Now what makes these social networks highly targeted? Well, I've already discussed sort of the custom audiences. Most modern ad networks will use a small list of these people, and the minimum size that we'll be discussing today is 20, right? The other benefits that an ad network might have over a mail phishing campaign is the ability to select devices ahead of time. So if you're going to advertise at someone, you might select that you only want people on an iPhone to see your ads. You only want someone on a desktop computer to see your ads, or you only want someone with a specific browser to see your ads. You can also do what's called day and time parting. Ads can be shown to users at a specific time of day, such as 3 p.m. on a Monday, or noon on a Sunday or Saturday. This helps you ensure that if a user's at work, they're probably gonna see your ads on a Monday through Friday or if they're at home. This depends on how you wanna set up an attack. Ad networks also have a couple of unique features that other phishing platforms might not have. You can stop a campaign in real time and start it back up again. So unlike a traditional phishing campaign, where once you've sent it out, it might be there and it might be there in evidence forever, with us you can just sort of stop it whenever you want and turn it back on. You can update the creative. If something's not working, you can change it in real time. And lastly, it's pay as performance. So the more money you're paying, or as long as you continue to put money in, you'll continue to get clicks in. People will keep clicking on your ads and landing on whatever landing page you want to send them. In this particular presentation, I'm gonna go only two networks, but there are plenty more out there and you can use these same techniques to exploit them. The first is Facebook and the reason I'm going to be using it is because it has 1.86 billion users. It's simply massive user base is a perfect way of reaching almost anyone. The second is LinkedIn. LinkedIn has 106 million people and 29% usage amongst Americans. Now on Facebook, as mentioned, we already have the 79% of American internet users, but what we also have is we have a very small custom audience size. Some other networks out there have a minimum size of 150 or some more have 500, but with Facebook, it's only 20 verified accounts. And this custom audience size can be made up of emails or phone numbers. The cost format is cost per milli or cost per click, whatever you choose, and the preferred ad method on Facebook is the newsfeed ads, which we'll cover a bit later. On LinkedIn, the big defining factor is the ability to reach 22% of CEOs in the United States and 36% of C-suite executives. It has precise targeting. So its user list is only one. You only do one person to target and it can find them. It's a cost per action based advertisement, which means it is $10 per action. However, if a person does take action from that ad, you're automatically refunded within 90 days. So that means you can keep sending as many of them as you wanted, as long as people are taking action on them. Now, unlike traditional spearfishing campaigns, advertisements require a little bit of work to get them up and running. And in advertisement, there's two very important parts. The first is the ad, and the second is the landing page. The ad is the creative that gets the attention. It gets the clicks. This needs to be important enough to get a target's interest, and then get them to click. The landing page is a destination where your target will arrive after clicking a link. This is where your payload will be delivered from. Sorry, I seem to, sorry about that guys, I seem to have clicked. There we go, sorry. Building the perfect ad. When we're talking about ads, there's four very important parts. The first is it's well researched. The second is it's attention grabbing. The third is it has motivating copy. And last but not least, it follows the rules. When we're talking about ad research, we want to appeal to a target's wants and needs. The easiest way to do this is to think of celebrities, influencers, or companies that a target might go to and rely on from information, find them and to put them into three free tools that advertisers such as myself use every day. The first one is ad espresso. The second is big, big ads. And the last is ads vantage. These tools let you put in a corporation or an influencer or a network and actually see the ads those corporations have put out. And by doing that, you can copy what has been successful. Success, as you'll see, is measured from social metrics such as the likes, the shares, and the clicks at the very bottom of the ads. So you'll actually be able to see what was successful for the advertisers in the past and then sort of base your attacks on that. However, you might run into some industries where there aren't a whole lot of likes and there aren't a whole lot of clicks and there aren't a whole lot of things being shared. And when in doubt, it's important to deliver, or sorry, to go back to one of the three big drivers of action. The first is health. Everyone wants to be healthier. Everyone wants to be living longer and be stronger. And an article titled four office habits that are shortening your life appeals to pretty much a broad spectrum of people who are living in an office cubicle. Wealth is, everyone wants to be richer. Everyone wants to make more money. And so you're always gonna see job titles or postings for getting a better job, getting better at interviewing, getting your own business off the ground while working at a crappy job. And last is relationships. Most people are longing for the social approval of others. They loathe the idea of being seen negatively. So they are always going to be following into traps of clickbait articles such as four things you're doing that your employees hate. Once you've figured out what kind of copy is going to drive and motivate your audience, you're gonna need to think of the kinds of images that they're going to click on. Once again, I'd refer back to Facebook groups, social circles, and those tools I mentioned earlier. To find what kinds of images tend to get high clicks. You'll see that, you'll see time and time again there's certain imagery that your audience sort of clicks on or relies on as a method of, that is important to me, right? Now, Facebook traditionally has a very bland color scheme. It's very blue and white. Sometimes images don't stand out against it. A trick that advertisers use in order to get clicks even from audiences that are not tended to click is to increase the saturation. On the image on the right, on the left hand side, you'll see that the saturation is normal. But on the right hand side of it, I've actually increased the saturation by 40% to have it stand out. This is something I use to get clicks quite often. Finding ad copy that motivates. When you're looking through the tools I mentioned, you're gonna start seeing these little formulas pop up in the titles below. You'll start seeing these 12 awesome HubSpot resources that won't cost you a dime. You'll start seeing little things like that, like blank ways to do blank, or when a free blank, or blank things you're doing wrong, or blank job openings in blank. These are little formulas. They're formulas that advertisers in that industry know work, so they're gonna keep using it and keep running that pony into the ground. That's what you should be doing. You should be finding those formulas and applying them to your article. You'll look for ads, once again, with a lot of shares, a lot of high comments, and a lot of social reactions. This post right over here is from HubSpot. They build software for marketers. This particular post has 3,000 likes and 185 shares. HubSpot is very good at finding imagery that sticks out. In this case, the orange free button, or orange free banner, sort of sticks out against the blue color scheme. And last but not least, though it is not the most exciting part, you have to follow the rules when it comes to building your ads. The ad copy you're making, it must be in line with the policies of each network. So I've included here two links to Facebook and LinkedIn's Terms and Policy Guides, but every ad network has these. The reason you're gonna wanna follow this when it comes to your ads is because there is automated and manual moderation, and we want to prevent the automated moderation from finding us so that we can bypass the manual moderation, and I'll get more into that later. But right now, it's important to understand that the automated moderation is what stops most people from launching a phishing campaign on these kinds of networks. So if you can just follow the rules that the automated moderation follows and looks at, you'll be better and more likely to get past the manual reviews later. So now that I've talked about ads, I'm gonna move on to the landing pages. What to keep in mind when you're building the Perfect Lander is that you can borrow existing landing pages and articles and promote them yourself. Facebook doesn't have a, they don't have a copy policy. There's nothing against copying someone else's creative and publishing it as your own. Your ads must match your landing pages, though. Your landing pages can be built easily, so even if you're not a developer, even if you don't like developing websites, you don't have to worry, because that can be done very quickly, and your target doesn't ever have to see your landing page, and I'll get into that more in a minute. When we're looking at borrowing content as advertisers, a lot of times what we will do is we'll find an article that worked for a particular target market, and we will either modify it manually and sort of make it our own, or what we will do is we'll throw it into something called a spinner. There's a website called Word AI, and that will rewrite entire paragraphs, change sentence structure, and make copied articles that your own. This uses artificial intelligence to rewrite them, and so far, none of the advertisements I've ever made has ever been flagged or stopped as duplicated copy because Facebook just doesn't look at it like that. Facebook looks at it as a, you want to promote content, I don't care where it's from, we just want money. When it comes to ads, though, it's important to have something called content continuity. You do not want to send someone an ad that says we're hiring in this area, then click on it and then see a piece of content for boating or fishing, right? You want your ads to match your landing page. You want to ensure that there's a seamless experience between what your user expects when they click an ad and what they get when they've arrived at the landing page. For the most part, advertisers such as myself are busy or very lazy people, depending on how you look at it. We don't spend a lot of time crafting landing pages. What we do instead is we look at plugins on WordPress or we look at software like lead pages to build our landing pages for us and then we sort of craft the content that we've been taking and mold that into the landing page, right? So when someone comes in to an ad expecting to see a four hire page, we're going to set up a landing page very quickly and then direct our users to that. Instead of designing a custom four hire page, we're just gonna find a plugin that'll help us do it very quickly. There's no need to get very technical with this because when you're building an attack page for your audience, you have to understand that there's two different ways people are gonna see it. They're gonna see what you want them to see and the moderation team are gonna see something else. The moderation team is who you're building these landing pages for, right? They're the ones who are gonna make all the approval. The users are who are going to be fish. They're going to be attacked. And how we're gonna separate that is through something called cloaking. What cloaking does is, just as I described, a user will see one landing page. A moderation team will see another, right? This is very powerful for what are called blackout advertisers because it lets us promote products or services that are not allowed on certain ad networks. However, in your cases, you could show whatever you wanted. There's literally no limitation to what can or cannot be cloaked. Right now, there's people using it for dating apps or gambling. However, you could use it for drive-by-download kits, phishing pages, or remote exploit kits. You're completely left to your own devices when it comes to that. However, not every page needs cloaking. If you were to take someone to a landing page, right, and it's for a job offer, and at the end of them filling out their information, they were to get a PDF or a file downloaded or a piece of media that they would click on and execute and read more information from that, Facebook's not gonna go through that long, tedious process. There's no manual reviewer who's ever gonna put their information into those documents. That's not what they judge on. They judge on the landing page's aesthetics and what it looks like, right? So if it's not an obvious attack, you don't need to cloak it. However, if it is obvious, if a user is clicking an ad and then landing on a phishing page for something like their Facebook login, you're gonna need to cloak that. When you're looking at cloaking, the easiest way to ensure success is to wait 24 hours. Usually, the moderation has 24 hours to respond to every landing page that goes through their system before approving it or denying it. So in other words, if you were to not set your cloaker to live for 24 to 48 hours after launching the campaign, the moderation team has already moved on. They're going to rely on other metrics to see if they need to come back and look at the landing page, such as the bounce rate I mentioned earlier. Recommended cloakers. This is the part that gets a little tricky. When I first wrote this brief to submit for TourCon, what I found was that several of the cloakers I was going to recommend were completely closed and had gone out of business by the time I was ready to write to this PowerPoint. Unfortunately, Facebook catches on that people are cloaking and they begin to look and find the methods that people are using. The cloakers I've recommended below are the three that I've used in the past that are still available and still working. Many of them, but not all of them have a free trial. So you can go on, get a cloaker right now, set up a campaign right now, bring traffic to it and not pay a dime for it. Now, here comes the fun part. Launching on Facebook. You cannot set up advertisements without having a business page. A business page is nothing more than a user account who has created a page from that. It's literally just go to the Facebook page, click on the cog, click create a page and set up a business. Ideally, you want it to be somewhat focused around the targets you're going after, but it doesn't have to be. I've included a little video for how to do that. Obviously, when it comes to advertisement, money is involved. Facebook's not gonna let you advertise for free. So you're gonna need to configure a payment information. It's very simple, you literally go in, click configure payment information and put your payment information in. The next comes custom audiences. This is where you're gonna wanna upload a list of emails or phone numbers into Facebook and Facebook is going to figure out who they belong to and then target them. These emails and phone numbers can come from anything. Business cards here at TourCon. You could take those and create a custom audience out of them. If they're linked to Facebook in any way, Facebook will say they're valuable and as long as you have at least 20 of them that are right, Facebook will let you show ads to these people. I highly recommend including more than 20 in your list just in case you need more than 20. So when you put 20 in and Facebook says only 15 are confirmed, you gotta find five more. So I do recommend finding more than 20 when you first upload the list. These lists can be a CSV. They can be copy and pasted data or they can be imported from Mailchimp. I've also included another YouTube video below to watch how you can set up a custom audience. All right, so using the custom audiences. Once your list has been built and you're ready to use them, you'll see a list displayed of all the custom audiences you have. Just by clicking on that list, Facebook will let you create an ad for that. A lot of times what I'll do when I'm building an ad off of a custom audience is I'll click the list and then I will add filtering on top of it to ensure that I'm getting the right person. For instance, maybe the product or service I'm trying to sell has a different angle for men versus women. Maybe it has a different angle for people who are located in a different part of the country or maybe I'm trying to add a different device segmentation on top of it or a different geographic location on top of it. This is where you would do that. You would add in the times of day, the geography, the devices you want to target, whatever is important to your particular campaign. Next is choosing the right ad type. I mentioned earlier that I think Facebook news feeds are the de facto successful ad on Facebook and there's a reason for it. These ads take up the most space on Facebook so therefore they're going to get the most attention. They're also eligible for both mobile and desktop traffic so you don't need to create a series of ads for mobile versus a series of ads for desktop. Whatever you're trying to launch, it will work on both. When you're coming to disguising this attack, I highly recommend using Facebook as a viral content or white paper approach. On the right, you're going to see a person named Frank Kern. He created this ad and what he's trying to pitch is he's trying to pitch training for marketers. You'd go, you'd click on the ad, you'd arrive at a landing page that would want your email and then he'd try to sell you things later. But if you look, he actually has 4.9,000 shares or sorry, likes and 1.3,000 shares and 294 comments which is a ton of social traction and social proof. And we're going to sort of clone that because after you've built your ad and you push it out there you're going to want to make it look like people have trusted this product or this service or this ad and also added likes and shares and comments to it. The easiest way to do that is to buy that traction off of a site like rfollower.com or shopfbelikes. These services will let you buy as many likes and shares and comments and reactions as you want. And so therefore to look more authentic and people will sort of trust it as a well liked and well traction ad versus something that only 20 people are going to see. Now we're going to talk to launch on LinkedIn. LinkedIn is a far more simple beast. It has a much higher open rate than traditional email. It's at 85% of open rates, right? Versus a 24% for traditional email. It's targeted and that you can only send it to any one person that you're not connected to and there's no cloaking required. You don't need to buy a cloaker, you don't need to worry about custom audience list because the minimum size on LinkedIn is just one person. To get started with setting up an email, all you have to do is upgrade your account. There are three different types of accounts that LinkedIn offers. The first is career, the second is business and the third is sales. Every single one of these accounts gets a certain number of emails with them automatically. The first to career being three, business 10, sales 25 and they each cost a certain different amount. However, if you were to run out of those emails you can buy new ones for $10 each. When you're looking at sending an email, you should find the target. Just by buying LinkedIn premium or any form of premium account, you're gonna get access to a higher grade search engine. The search engine's gonna let you type in a company name and then find people of a certain job function. So for instance, if you wanted to find people who worked as secretaries or people who did not work in cybersecurity who might understand that this is a phishing technique, you could completely avoid those people. You could target secretaries, people who worked in printing room, marketers like myself, you could target whoever you wanted. It's one click launch. Just by finding that person, clicking on their name, you're gonna get the opportunity to send them an email. When it comes to writing that email, I highly recommend that you use it as a hiring outreach or a products and services outreach. LinkedIn has shown that these are the two outreach through emails that get the most traction and people click on them and interact with them. However, just like any phishing campaign, if you can get a little bit more creative in your copy, it's all limited to you. So if you wanna get more creative and see if it works, go for it. Once again, if you do get any traction whatsoever, LinkedIn will refund you $10 or your email within 90 days. You can tailor this approach. So I don't recommend sending a CEO a hiring offer or a junior level position of product and services. Just sort of target the person, know what their interests are before you reach out to them. So I've talked a little bit about these attacks and there's not a whole lot on the internet I could find to people using this as a very targeted way of attack. However, what I did see is there's a lot of companies who are aware that this might be a method of attack and are looking to stop it. I found that there's a company called Piehole that's made a network-wide ad blocker and another company called Metix which makes another network-wide ad blocker. I would highly recommend using a form of network-wide ad blocker even if it's the freeware one like Piehole on your corporate networks just because people are gonna bring in external devices like their phones, it may not have ad blockers automatically installed. That doesn't mean you shouldn't encourage them to include an ad blocker on their home computers and their phones just for their due diligence but that's be the way that I would stop these techniques. To wrap things up, I hope you have a general idea of how to set up and get approved on various ad networks to avoid the automated reviewers and know that you can bypass the manual reviewers entirely with something like Cloakers. I hope that you have a very basic and brief understanding of how one might go about securing against this type of attack. Thanks and any questions? Sure, so what a Cloaker is doing is a Cloaker is a piece of software that sits in between you and your landing page. You're going to send ad traffic to the cloaking page. They're going to first look at the traffic that's coming in and they're gonna determine based on thousands of other advertisers that are using this source. Hey, we're seeing the same IP range. That's Facebook. Hey, we're seeing the same footprint. That's also Facebook or that's LinkedIn or that's Twitter. And then they're gonna say if that is part of our block list, then revert them to this landing page. If it's not, revert them to this. They don't care what it is that you're advertising or what pages you're sending it to. They just care what is a reviewer and what's not a reviewer. Yeah, so Facebook's moderation team and every ad network's moderation team is huge, right? They don't rely on humans initially. They tend to rely on robots first and then they have a lot of reviewers in third world countries that go and click the ads. I've seen Cloakers work with just, just by like a homebrew Cloaker work, just by having a geo target, like a really specific geo target around the city that they wanted to find people in underneath their belief that they didn't know where the reviewer was coming from but they knew where it wasn't going to be. So they knew it wasn't going to be, and let's say Rockville, Maryland, but they knew that it could be anywhere outside that. So the network they were gonna target was Rockville. So therefore if someone clicked the ad and they were in Rockville, Maryland, then show them the phishing page. If they weren't in Rockville, Maryland, show them anything else. So that's another way one could go about doing that. Sure. Oh, so spear phishing through social networks and social media? So primarily through social networks and social media is I don't see a ton of these. What I was seeing a while back ago and how I got thinking about this is I was seeing LinkedIn in-mails come through me for someone initially saying that they were hiring. And I clicked on this hiring campaign and I was like, what is this? Why, like it looks just like a hiring page but it wants me to download this PDF. I was like, this is shady as fuck. Like, this is so shady. So I then send it through a virus session. Of course it comes back positive all the way. And I was like, ah, I see it. Yeah, I was like, oh, I see this. I see what's going on. And then it got me thinking, well, people do this every day. Like, I advertise every day. I bring people into whatever pages I want and no one questions it, right? What makes an ad successful? What makes an ad not successful? And that's the way. Sure, yeah. So Facebook doesn't like admitting that phishing and cloaking are a thing, right? They tried really hard to prevent people from cloaking. But as I said, what they're doing is looking for where traffic is going and shutting down those pages so that when I said there was a lot of cloakers earlier that had been shut down, what that means is you could still use those services. But if you put your ad through that service, right, it would, you'd send traffic there. And Facebook would say, oh, we know this. Like, your account's getting shut down immediately. Right, those cloakers just don't work anymore. And so they're the first ones to admit, we're not working. Right, and you're gonna start, you'll start seeing other people review them and say, if you Google cloaker's name and then 2017 or whatever year it is, you'll start seeing people say, my account's all got shut down. Why are my accounts getting shut down? I was doing so much traffic with them. Why are my accounts getting shut down? It's because the cloaker doesn't work anymore. These three of the three that I know right now that are working, that I tested and I can say, this was working today. I know they'll work today. I don't know that they'll necessarily work tomorrow. So, sorry, if you wanted to make your own cloaking service, sure, sure. Yep. Yep. Yeah. If it goes through, it goes. Yeah, that's the primary way that people are doing it. Most people I know who have set up cloaking services, they are advertisers like me. They do a lot of volume for a lot of people and they're able to track and install their own scripts on the people they're advertising for websites and they say, this is what we're seeing. We're seeing all of these same IP ranges. I get, I best if we filter those out, we know who the moderation team is. No, we don't share with each other. We just, I mean, there are, as mentioned, there are black hat advertisers just like cyber insecurity enthusiasts. We talk and we say, oh, this is what's working for me. So, every time you change a landing page, right, it's going to, Facebook's gonna see that you've changed it on their side and they're gonna say, oh, well, something's changed. Go back and remoderate it, right? The cloaking page prevents that and just that page never changes, but where it redirects to changes. But I guess if you really wanted to set up a series of redirects, you could try and see how long that worked. With targeted lists, you're not gonna get as much moderation. So, if you're targeting 20 people, you're not gonna get as much heavy moderation as if you're spending like 50 grand a day on Facebook. Yeah, if you want them just to fill in whatever, if you want a form on the landing page, you don't even a cloaker, you know? Yeah, just make the user go through a little bit more work, that's all. Yeah? Your credit card will be blacklisted, you'll need a new credit card, right? Right now, you can't use a bunch of virtual credit cards and a bunch of, I was gonna put a big slide on there about what kind of credit cards you can use, but right now, every single one of the gift cards I was using, they're not working right now. So there are still some out there, but people aren't sharing which ones those are. I'd be very careful. Maybe, I mean, you could just get a new credit card through Capital One or whatever if you're willing to risk your own credit. But there's nothing illegal about cloaking. It just violates the terms of service. There is stuff illegal about phishing and using it for malicious attacks, but cloaking in itself is not illegal. I've worked some really obtrusive ads that have worked. And I used to work for a huge marketing company called Agora, they're very much intrusive ads and we were seeing success. It tends more to work towards the age of the audience. The older someone is, the less familiar they are with the internet and how those things work, the more they're gonna just allow things to, oh wait, of course it works. I saw it, I read it on the internet. But the younger they are, the more tech savvy they are, like the more educated they are, the more they're gonna be very, you know, the more they're gonna scrutinize the ads that you're putting out. Any other questions? We good? Yeah? Sure. Yeah? Sure. You go to the service and you link to the post that your ad is. Every ad you create is also a post on that page that you're going to create. Right, they're one and the same. Just because people who you're advertising to are gonna see that post, anyone who were to like that page, they would also see every one of your posts. They're not separate from each other. You're going to have them like that post and the people who are seeing your ad are gonna see the likes on that ad. So they're gonna see, they're gonna think the ad is a lot more traction than it actually does. So when I talk to my Facebook executives and Facebook reps, so every year I meet with Facebook reps and all that and I ask them stuff like, Cloaking, hey, is Cloaking working? Is Cloaking working? Same people say about Cloaking, they're like, you know, we have a moderation team. They go through and they prove the ads and they check. And I do sort of poke around and ask them questions about that. But it's not something that they're gonna tell me the exact services they go through. I do know a few years back there was a leaked manual for what Facebook review teams do look like or look for when it comes to advertising. But I don't know how relevant that is and up to date that is in 2017. The Facebook moderation team? Yeah, maybe. I mean, maybe someone's like, hey, I want the Facebook moderation team phished, right? Maybe that's it. Yeah, yeah, you could do what, I mean, there's nothing stopping you, right? I'm not, I don't know if Facebook moderation team has up-to-date antiviruses or anything like that or if they're doing it from their home network, I don't know what the setup is. Yeah, or if it's in the, yeah. I don't know what their setup is, but yeah, technically you could. There's nothing stopping you from doing that. That's the fun part. Thank you.