Facebook takes on 'clickjacking' spammers in court

SEATTLE Thu Jan 26, 2012 10:06pm EST

The Facebook logo is displayed on a computer screen in Brussels April 21, 2010.

The Facebook logo is displayed on a computer screen in Brussels April 21, 2010.

SEATTLE (Reuters) - Facebook and the state of Washington sued a company on Thursday they accused of a practice called "clickjacking" that fools users of the world's top social network into visiting advertising sites, divulging personal information and spreading the scam to friends.

The scheme, also known as "likejacking" because victims are tricked into using Facebook's "Like" button to perpetuate it, has grossed $1.2 million a month for the Delaware-based firm, Adscend Media, according to the state attorney general's office.

Adscend profits from the scam by collecting money from its advertising clients for every Facebook user unwittingly misdirected to a target ad or subscription service, the plaintiffs said.

Two separate but similar claims filed in federal court by the state and Facebook accuse Adscend of violating federal and state statutes outlawing misleading or deceptive commercial electronic communications and unfair business practices.

The legal action is believed to mark the first time any state government has gone to court in a crackdown against spam spread by Facebook, the world's most widely used social media network, said Paula Selis, senior counsel for the attorney general.

She said schemes such as clickjacking have grown steadily more pervasive, and that millions of Facebook users have probably been exposed to Adscend's spam.

"Security is an arms race," Ted Ullyot, Facebook's general counsel, told a news conference at the California-based company's Seattle office to announce the lawsuits. "It's important to stay a step ahead against spammers and scammers."

Attorney General Rob McKenna, a Republican running for governor, said Washington state was taking action because "we've brought other cases like this and, more than any other state, we've developed technological and legal expertise" in the field of cyber fraud.

Representatives of Adscend or two co-owners also named as defendants could not immediately be reached for comment.


As described in the lawsuits, the scam works as follows:

Facebook pages designed as "bait" are disseminated to social network users as posts that seemingly originate from friends, offering visitors an opportunity to view salacious or provocative content.

However, that viewing is contingent on completing a series of steps that will supposedly unlock the content but are actually designed to lure Facebook users onto other sites, where they are tricked into giving away personal information or signing up for expensive mobile subscription services.

First the victims are encouraged to click the "Like" button on the Facebook "bait" page, which then alerts their friends to the page's existence, thus helping propagate it. Then they are told they cannot reach the content without filling out a form for an online survey or advertising offer.

In one example cited, the "Like" button is overlayed with a link labeled: "This man took a picture of his face every day for 8 years!" The promised content often does not exist, and the user instead is directed through a series of prompts taking them off Facebook and to a string of ads and subscription offers.

In some cases, a hidden code embedded in an enticing link on the "bait" page activates the "Like" button without the user even clicking it, sending it to friends' news feeds.

Selis said it may seem unlikely that anyone would click on such links, "but unfortunately they do."

While the number of Facebook users actually scammed by clickjacking is not known, Selis said investigators have determined that some 280,000 users visited the locked content pages of Adscend during February 2011 alone.

"So we know there are probably millions of Facebook users" exposed to the deception, she said.

Facebook spokesman Andrew Noyes said the Adscend action was the latest in "our pursuit and support for civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service."

He cited three federal court judgments worth several hundred million dollars each obtained by Facebook against spammers since 2008.

(Additional reporting and writing by Steve Gorman; Editing by Cynthia Johnston)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
Xiggie wrote:
About time they did something about that. I hope those guys go to prison.

Jan 26, 2012 11:27pm EST  --  Report as abuse
Ranwulf wrote:
Yeah, these guys are crooks, but at this late date in the existence of the internet, people should know better than to click on anything that pops up. They may as well send money to that exiled Nigerian/Ugandan/Kenyan diplomat while there at it.

Jan 27, 2012 1:36am EST  --  Report as abuse
JamVee wrote:
But this people rarely, if ever, get any jail time. The profits are so big, that the perps are more than glad to pay the fines and then start some other such nefarious business in a different location.

Jan 27, 2012 7:26am EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.