Facebook and Washington State Attorney General Rob McKenna today announced the latest step in an ongoing fight against spammers and scammers: dual lawsuits against the co-owners of Adscend Media, an ad network that allegedly develops and encourages others to spread spam through misleading and deceptive tactics. One of these tactics is called likejacking (a play on the term clickjacking, which means prompting a victim to click something while a different action is taken behind the scenes).
I've covered tons of such Facebook scams (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, and 13). Here's how a typical likejacking scam works. First, scammers design Facebook Pages to look like they will offer visitors an opportunity to view salacious or provocative content. They condition viewing this content on completing a series of steps that are designed to lure Facebook users into eventually visiting websites that often deceive them into surrendering their personal information or signing up for expensive mobile subscription services.
More specifically, Likejacking takes advantage of a browser vulnerability that permits malicious actors to make the Like button invisible. Once this is done, scammers can overlay pictures, videos or other content, to trick the user to click on the invisible Like button. If just clickjacking is employed, a hidden code in hidden enticing-looking links that activates Facebook's Like function and puts it on the users' friends' News Feeds. Either way, the user's friends are alerted of the existence of the Page, helping spread the scam.
The user is often then told that they cannot access the content unless they complete an online survey or advertising offer. The tricked user is then directed through a series of prompts taking them off of Facebook and through a host of unrelated advertising and subscription service offers, where the scammers receive money for each misdirected user.
The Attorney General's lawsuit was filed in U.S. District Court in Seattle against Delaware-based Adscend and co-owners Jeremy Bash of Huntington, West Virginia and Fehzan Ali, of Austin, Texas. It alleges of three violations:
The CAN-SPAM Act, which makes it unlawful to procure or initiate the transmission of misleading commercial electronic communications.
Washington state's Commercial Electronic Mail Act, which prohibits misrepresenting or obscuring any information in identifying the point of origin or the transmission path of a commercial electronic message
Washington State's Consumer Protection Act, which prohibits unfair and deceptive business practices.
The Attorney General's Office is asking the court to enjoin the defendants from future violations, award damages, and impose civil penalties, costs, and fees. Facebook's similar, separate lawsuit against Adscend and its owners was filed in federal court in the Northern District of California. The company didn't, however, detail how its lawsuit differs.
"We don't 'like' schemes that illegally trick Facebook users into giving up personal information or paying for unwanted subscription services through spam," McKenna said in a statement. "We applaud Facebook for devoting significant technical and legal resources to finding and stopping scams as soon as possible – and often before they even start. We're proud to join forces in order to protect Washington consumers."
"Security is an arms race, and that's why Facebook is committed to constantly improving our consumer safeguards while pursuing and supporting civil and criminal consequences for bad actors," Facebook General Counsel Ted Ullyot said in a statement. McKenna and Ullyot emphasized that this partnership is meant to send a strong message that spammers and scammers are not welcome on Facebook and there are serious consequences for attempting to harm and deceive Facebook users.
"The natural reaction is to wonder why anyone would click on these links," Assistant Attorney General Paula Selis, who heads the office's Consumer Protection High-Tech Unit, said in a statement. "But, unfortunately they do, and at one point Adscend spam lined the defendants' pockets with up to $1.2 million a month."
"Facebook's security professionals have made tremendous strides against this particular form of attack and we are intent on eradicating it completely," Craig Clark, Lead Litigation Counsel at Facebook, said in a statement. "We will continue to use all tools at our disposal to ensure that scammers do not profit from misusing Facebook's services."