Home ShopTalk What’s Behind the Washington-Facebook “Clickjacking” Case?

What’s Behind the Washington-Facebook “Clickjacking” Case?

If you use Facebook, the world’s top social networking site, you may have “liked” an Internet scheme without even knowing it – and unwittingly helped spread the scam to your Facebook friends.  

Washington State Attorney General Rob McKenna and Facebook have announced the latest step in an ongoing fight against spammers and scammers: a lawsuit against the co-owners of Adscend Media, LLC, an ad network that is alleged to develop and encourage others to spread spam through misleading and deceptive tactics, including the one known as “clickjacking.”

“We don’t ‘like’ schemes that illegally trick Facebook users into giving up personal information or paying for unwanted subscription services through spam,” McKenna said during a news conference at Facebook’s Seattle Office. “We applaud Facebook for devoting significant technical and legal resources to finding and stopping scams as soon as possible – and often before they even start. We’re proud to join forces in order to protect Washington consumers.”

Facebook, which filed its own lawsuit against Adscend and its owners today, welcomed the Attorney General’s action. “Security is an arms race, and that’s why Facebook is committed to constantly improving our consumer safeguards while pursuing and supporting civil and criminal consequences for bad actors,” Facebook General Counsel Ted Ullyot said.

Attorney General McKenna and Ullyot emphasized that bold partnerships like the one announced today send a strong message that spammers and scammers are not welcome on Facebook and there are serious consequences for attempting to harm and deceive the social media giant’s users.

Here’s how scams, such as the ones described in the lawsuits, work:

Scammers design Facebook Pages to look like they will offer visitors an opportunity to view salacious or provocative content. They condition viewing this content on completing a series of steps that are designed to lure Facebook users into eventually visiting websites that often deceive them into surrendering their personal information or signing up for expensive mobile subscription services.  

First, Facebook users are encouraged to click the “Like” button on the scammers’ Facebook Pages, which then alerts their friends to the existence of the page. Then they are told that they cannot access the content unless they complete an online survey or advertising offer. In one example noted in the complaint, the scammers overlay the Facebook “Like” button with a link that promises to reveal the results of: “This man took a picture of his face every day for 8 years!!”  Of course, the promised content often does not exist and the tricked user is then directed through a series of prompts taking them off of Facebook and through a host of unrelated advertising and subscription service offers, where the scammers receive money for each misdirected user.

In some cases, Facebook users don’t even need to click the “like” button to spread the spam on their Facebook pages. In the process called “clickjacking,” a hidden code in enticing-looking links activates Facebook’s “like” function and puts it on the users’ friends’ news feeds.

“The natural reaction is to wonder why anyone would click on these links,” said Assistant Attorney General Paula Selis, who heads the office’s Consumer Protection High-Tech Unit. “But, unfortunately they do, and at one point Adscend spam lined the defendants’ pockets with up to $1.2 million a month.”

Facebook’s chief litigator says the company is a leader in protecting its users from scammers and spammers and enforces its rights against the same regularly. “Facebook’s security professionals have made tremendous strides against this particular form of attack and we are intent on eradicating it completely,” said Craig Clark, Lead Litigation Counsel at Facebook. “We will continue to use all tools at our disposal to ensure that scammers do not profit from misusing Facebook’s services.” 

The Attorney General’s lawsuit was filed in U.S. District Court in Seattle against Delaware-based Adscend and co-owners Jeremy Bash of Huntington, West Virginia and Fehzan Ali, of Austin, Texas. It alleges violations of:

  • The CAN-SPAM Act, which makes it unlawful to procure or initiate the transmission of misleading commercial electronic communications;
  • Washington state’s Commercial Electronic Mail Act, which prohibits misrepresenting or obscuring any information in identifying the point of origin or the transmission path of a commercial electronic message;
  • Washington State’s Consumer Protection Act, which prohibits unfair and deceptive business practices.

The Attorney General’s Office asks the court to enjoin the defendants from future violations, award damages and impose civil penalties, costs and fees.

Facebook’s similar, separate lawsuit against Adscend and its owners was filed in federal court in the Northern District of California.

Facebook urges its users to always remain vigilant, trust their instincts and immediately report scams and spam.  People can educate themselves and receive updates on how to protect their information on Facebook by visiting and liking Facebook’s Security Page at http://www.facebook.com/security.  For detailed information on clickjacking and how to avoid it, both the Attorney General’s Office and Facebook recommend “Keeping You Safe from Scams and Spam”: http://on.fb.me/fbsafetytools.  [24×7]