I haven't been able to confirm with any certainty that Meta enforces domain ownership verification but I would love to see a confirmation that Meta does indeed do this or plans to do so in the future.
If Meta's advertising network does not enforce domain ownership verification, then it is fundamentally vulnerable to the same problem described on this blog post.
Sampled URL resolution cannot prove anything about a URL.
I'd rather Meta just clearly stated if they require domain ownership verification when spoofing links. Lack of this (or similarly effective) protection mechanism enables automated link fraud.
Reminder for adtech company employees in this thread: If you suspect a crime has taken place (e.g. if you have seen internal documentation showing that potential profit outweighed the security benefit of actually enforcing a policy), you can blow the whistle to regulators.
If Meta's advertising network does not enforce domain ownership verification, then it is fundamentally vulnerable to the same problem described on this blog post.
Sampled URL resolution cannot prove anything about a URL.