Facebook spammers made $1.2 million a month, fined $100,000

Delaware-based online marketing company Adscend Media has agreed to stop spamming Facebook users. The firm has settled with the Washington State Office of the Attorney General and agreed to pay $100,000 in attorneys' costs and fees, but did not admit liability. Furthermore, the settlement doesn't put Adscend out of business. It merely requires that the company and its affiliates no longer use messages containing false or misleading headers, nor messages that hide the true identity of the sender.

Violation of the 10-page consent decree filed in the U.S. District Court in Seattle (embedded above) will result in the Attorney General's Office seeking additional remedies, including restitution, fees and costs, civil penalties, and injunctive relief. I'm hoping that happens, given that Adscend made "up to $1.2 million a month" from Facebook spam. $100,000 is a slap on the wrist.

The Attorney General's Office settlement requires Adscend to include "clear and conspicuous identification the messages are advertisements or solicitations" as well as agree to maintaining a monitoring program, including random, daily analyses of what their affiliates are up to, ensuring that the company's clients and partners do not violate the terms of the settlement. If affiliates are found to be tricking Facebook users, Adscend must delete the ads and send a warning to the affiliate.

In January 2012, Facebook and Washington State Attorney General Rob McKenna filed lawsuits against Adscend Media, accusing the ad network for developing and encouraging others to spread spam through misleading and deceptive tactics.

The Attorney General's lawsuit alleged three violations:

• The CAN-SPAM Act, which makes it unlawful to procure or initiate the transmission of misleading commercial electronic communications.
• Washington state's Commercial Electronic Mail Act, which prohibits misrepresenting or obscuring any information in identifying the point of origin or the transmission path of a commercial electronic message
• Washington State's Consumer Protection Act, which prohibits unfair and deceptive business practices.

Facebook's lawsuit was supposed to be similar, but the social networking giant did not disclose details. Menlo Park settled its case against Adscend last week, but details have yet to surface (court documents don't show anything; I've asked Facebook for details).

One of Adscend's tactics was likejacking (a play on the term clickjacking, which means prompting a victim to click something while a different action is taken behind the scenes). Likejacking takes advantage of a browser vulnerability that permits malicious actors to make the Like button invisible. Once this is done, scammers can overlay pictures, videos, or other content, to trick the user to click on the invisible Like button. If just clickjacking is employed, code in hidden enticing-looking links that activates Facebook's Like function and puts it on the users' friends' News Feeds. Either way, the user's Facebook friends are alerted of the existence of the Page, helping spread the scam.

Likejacking or not, scammers typically design Facebook Pages to look like they will offer visitors an opportunity to view salacious or provocative content. They condition viewing this content on completing a series of steps that are designed to lure Facebook users into eventually visiting websites that often deceive them into surrendering their personal information or signing up for expensive mobile subscription services.

The user is often told that they cannot access the content unless they complete an online survey or advertising offer. The tricked user is then directed through a series of prompts taking them off of Facebook and through a host of unrelated advertising and subscription service offers, where the scammers receive money for each misdirected user.

Being able to view the content requires following a series of steps designed to lure Facebook users into eventually visiting commercial websites as well as to spam Facebook friends with the scam, helping it to spread further. In most cases, the content is never revealed.

"Today's settlement puts a stop to Adscend's 'likejacking' and other misleading tactics that led Facebook users to fork over personal information or buy subscription services from sites that appeared to be recommended by friends," Washington State Attorney General Rob McKenna said in a statement.

"Under this agreement, Adscend-initiated messages should no longer appear to come from Facebook friends, when they actually originate from an affiliate trying to generate a sales commission from a commercial advertiser," Assistant Attorney General Paula Selis said in a statement.

I have contacted Facebook for more information and will update you if I hear back.

See also:

• Facebook virus or account hacked? Here's how to fix it.
• Facebook releases official Guide to Facebook Security
• Experts: Facebook crime is on the rise
• Sex sells: Men fall for Facebook scams more than women
• Researchers invade Facebook with socialbots, grab 250GB of data
• Facebook Immune System checks 25 billion actions every day