Facebook and Washington state filed federal lawsuits on Thursday against Adscend Media for “clickjacking,” a form of spamming that fools users into visiting advertising sites and divulging personal information.
“Likejacking” is similar; victims are tricked into using Facebook’s Like button to spread spam. Users believe links to spam sites are being sent to them by friends.
Facebook and Attorney General Rob McKenna filed similar but separate lawsuits against Adscend, alleging the advertising company has profited by collecting money from clients for every Facebook user misdirected to an advertisement or subscription offer.
Both lawsuits were filed in the Northern District of California, and both claim Adscend has violated the CAN-SPAM Act, which prohibits the sending of misleading electronic communications.
Facebook has been working to bring illegal spammers to justice for years, often with success. The company has a record of working with law enforcement to nab those who manipulate Facebook for gain.
“This is a continuation of our pursuit of and support for civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service,” Facebook spokesperson Andrew Noyes told the E-Commerce Times.
A prominent example is the indictment in California of self-proclaimed “spam king” Sanford Wallace in August, Noyes said. “Two years ago, Facebook sued him, and a U.S. court ordered him to pay a (US)$711 million judgment. Now he faces serious jail time for this illegal conduct.”
Facebook also secured a $360.5 million judgment against spammer Philip Porembski, said Noyes, which “followed an $873 million spam judgment in 2008 against Adam Guerbuez and Atlantis Blue Capital for sending sleazy messages to our users.”
The Guerbuez judgment was the largest award ever under the CAN-SPAM Act, he noted.
“We’re hopeful that this kind of pressure will deter large scale spammers and scammers,” said Noyes.
How Clickjacking Works
Clickjacking is a programming technique that employs a seemingly innocent button to trick users into visiting sites unintentionally. Likejacking is a similar technique that utilizes Facebook’s Like button. The technique is also referred to as “UI redressing.”
Clickjacking is “quite well understood,” Roger Kay, founder and principal of Endpoint Technologies, told the E-Commerce Times. “It is used by both legit and illegit programs.”
Both clickjacking and likejacking are designed to trick users.
“When someone browsing clicks on a site, the site can execute arbitrary code in the browser,” said Kay. “It can set a cookie, say, for Amazon, or do more nefarious things, like inject malware designed to call other malware later.”
Clickjacking has been prevalent for years, and likejacking has become similarly entrenched. Many users of Facebook have likely experienced it in the form of a product-related message that seemed to be from a friend.
“The use of the technique is widespread,” said Kay. “Consumers need to use better judgment about which links they click on.”
Links can be forwarded as if from friends, and some come-ons are pitched just right to get around the user’s suspicions he noted.
“If you’re the target of a spear phish, then the attack is tailored to you,” said Kay. “So, avoiding bad sites becomes a kind of ninja art everyone must learn.”