January 27, 2012

Facebook Takes “Clickjacking” Spammers To Court

Facebook and the U.S. state of Washington (WA) are suing Adscend Media, accusing them of a practice called “clickjacking,” which fools users of the No. 1 social network service into visiting advertising sites, revealing personal information and spreading the scam to others.

The lawsuit alleges that Adscend Media has profited more than $1 million per month by using bogus pages on Facebook to whisk people away to other sites. The lawsuit charges that the Delaware-based online ad firm collected money from its ad clients for every Facebook user that was unknowingly being misdirected to a target ad or subscription service.

The scheme is also known as “likejacking” because victims are tricked into using the “like” button to perpetuate it.

Paula Selis, a senior counsel member for the Washington attorney general, said this is the first time any state government has gone to court fighting against spam spread by the popular social network.

The WA attorney general´s office and Facebook have also filed two separate claims in federal court accusing Adscend of violating federal and state statutes outlawing misleading or deceptive commercial electronic communications and unfair business practices.

Selis said schemes such as clickjacking have grown rapidly and steadily more persuasive, and that millions of Facebook users have probably been exposed to Adscend´s spam scams.

“Security is an arms race,” Ted Ullyot, Facebook's general counsel, told Reuters during a news conference at the California-based company´s Seattle office to announce the lawsuits. “It´s important to stay a step ahead against spammers and scammers.”

Attorney General Rob McKenna said the state was getting involved because “we´ve brought other cases like this and, more than any other state, we´ve developed technological and legal expertise” in the field of cyber fraud.

So how does the scam work?

Fraudulent Facebook pages designed as “bait” are distributed to social network users as posts that seemingly originate from friends, offering visitors an opportunity to view appealing content. However, the viewing of this appealing content is all dependent on the user completing a series of steps that will supposedly unlock the content, but in reality are only designed to lure Facebook users to different sites, where they are tricked into giving up personal info or signing up for expensive subscription services.

First the victims are encouraged to click the “Like” button on the “bait” page, which then alerts their friends of the page´s existence, where possibly more users get hooked into trying it out. Then they are told they cannot reach the content without first filling out a form for an online survey or offer.

In most cases, the promised content doesn´t even exist, and the user is instead directed through an endless string of prompts taking them from one page to another full of ads and subscription offers. When they are done, they are so far away from their Facebook page, they would need to book a flight to get back to it.

In some cases, a hidden code is embedded in an enticing link on the “bait” page that activates the “Like” button without the user even moving over it.

It may seem unlikely that anyone would click on such links, “but unfortunately they do,” said Selis. While the actual numbers of Facebook users scammed by clickjacking is unknown, she said investigators have determined that some 280,000 users visited the locked pages of Adscend during February 2011 alone. “So we know there are probably millions of Facebook users” exposed, she added.

Andrew Noyes, spokesman for Facebook, said the Adscend lawsuit is the latest in “our pursuit and support for civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service.” Three federal court judgments worth several hundred million dollars each were obtained by Facebook against spammers since 2008, he noted.


On the Net: