Has Your Facebook Pixel Been Hijacked?
Recently, we noticed an increase in new domains sending data to one of our clients’ Facebook pixel. We also got an email from Facebook telling us there were ‘New Domains Sending Data’. When we looked one day, there were 12 more spammy domains that had hijacked our client’s pixel that were using it for their own questionable purposes.
When we click to see all 12, we see these (3 of them blacked out for privacy reasons).
After further investigation, we found that there were several different implementations of sites using our clients’ pixel.
- Sites that replicated our client’s website. These also fell into 2 categories
- Some versions of the site used a full replication of the client site from several months ago. All links worked, all images worked and even the checkout worked (up until purchase at least, but there was no way we try to make a purchase)
- Some sites just replicated the home page and no other links on the page worked.
- A couple sites were replicas of completely other sites. For instance, wasteindustriess.com is a copy of chichiclothing.com.
- Some sites showed a blank white page, but when we looked at the page source, we’d see this:
What’s interesting is the console.log. From code.org, they define this as:
console.log() is used as a debugging tool to help you understand what your code is doing. By displaying a message containing either descriptive text that tells you what is happening or the value of particular variables, you can follow along as your code executes. The user of your app will not see the console.log() messages.
Then, I looked at the source code of some of the other spam sites and see much more complex coding:
Of course I can’t tell exactly what’s going on in this function, but I’m sure it’s not good.
However, we know for sure that these sites hijacked my client’s Facebook pixel for tracking and are trying to hijack traffic to our pixel to prime and build traffic on their pixel, so we know that this code is somehow doing that.
Unfortunately, there’s not much you can do besides continue blocking the domain in Facebook. Eventually, when whoever is doing this sees we’re on to them as we continue blocking them, we expect (hope) they’ll stop. We thought about reporting them to their registrar, but they’re overseas and can’t/won’t do anything.
Some are also being served through CloudFlare.com and we thought about reporting to them, but not sure that would do anything either.
The other option is to bring in Legal to go after them for copyright infringement, but again, what we can tell is that they’re all overseas and Legal is probably a rabbit hole that’s not worth going down.
So, we block the domains from using our pixel in Facebook and ignore them and hope they eventually go away. They’re certainly not grabbing that much traffic, so not really worth more of our time right now.
So far we’ve blocked about 60 other domains as these hackers just keep trying.
Fortunately, it’s pretty easy to block in Facebook Events Manager.
How to Block These Domains
Go to Events Manager, under Diagnostics, you may see the warning that there are “New Domains Sending Data”.
Click on Settings and Scroll down to the Traffic Permissions section. Here’s where you can add the domains to your block list. There used to be an allow list, but that was removed. Click on the Edit button.
You’ll get a pop up window showing the option to search for domains and a list below of domains that are using your pixel. The list will show a green light for allowed and red light for blocked. In the case below, the domain is still allowed because it’s new. Click the link to “Add to block list” and this domain can’t use your pixel anymore.
How Does This Impact Your Website?
At first glance, you might think this isn’t really a big deal, but it can be. After iOS 14.5, we’re all striving for quality first party data so we can get the best results possible. That’s essentially what these spammy sites are also trying to do. They want your first party data to hit their pixel which then will theoretically give them a better audience.
But, it also means that their low quality audience that also hits your pixel will be detrimental to your pixel audiences and water them down.
Granted it probably has a greater positive effect for their pixel than the negative effect it has on yours, but you’ve worked hard for your first party data, and you should keep it clean and unadulterated.
So go ahead and block all those spammy domains, if you notice it happening, check every day to keep your data clean.
Give us a shout if you’ve got any Facebook or Google issues that need solving. We’d love to help you out!