In a lawsuit filed yesterday, Facebook is accusing a Hong Kong-based company of infecting individuals with malware in order to hijack their Facebook ad accounts and run malicious advertisements at their expense.

The Menlo Park, Calif.-based social media company filed the legal documentation in a San Francisco federal court against ILikeAd Media International Company Ltd., a company that, according to the complaint, offers advertising and affiliate marketing services to businesses that are interested in reaching an audience of Facebook users. Additionally, Facebook sued two individuals: Wuhan, China-based software developer Chen Xiao Cong and Huang Tao, a marketing director at Guangzhou HongYi Technology Company Ltd., an affiliate company of ILikeAd.

Facebook, which seeks injunctive relief and financial restitution and damages, claims the defendants used various websites to promote browser software that contained a malicious plug-in or browser extension. This malware is capable of finding and taking over users’ Facebook ad accounts, allegedly allowing ILikeAd to use the compromised accounts to purchase advertisements for counterfeit goods and male enhancement and diet pills. The lawsuit further alleges that Cong programmed malware to disable Facebook users’ account security notifications so the compromise would go unnoticed.

Facebook also accuses the defendants of employing a technique called cloaking, which attempts to fool Facebook’s automated ad-approval systems by showing a different landing page than the one to which Facebook users will actually be sent.

“Cloaking schemes are often sophisticated and well organized, making the individuals and organizations behind them difficult to identify and hold accountable,” states a Facebook company blog post, written by Jessica Romero, Facebook’s director of platform enforcement and litigation, and Rob Leathern, director of product management, business integrity. “As a result, there have not been many legal actions of this kind.” Facebook also accuses the defendants of using celeb bait – provocative images of famous people – to lure people into clicking their deceptive advertisements.

Facebook says the scheme began no later than 2016 and has continued through at least August 2019. “Since April 2019, Facebook has notified hundreds of thousands of users that their Facebook accounts may have been compromised, and it has required those users to verify their identity and change their Facebook account passwords,” the complaint states. The company says it has reimbursed $4 million to victims of this alleged scam.

The lawsuit asserts that the defendants’ actions are in violation of the California Comprehensive Computer Data Access and Fraud Act and the Federal Computer Fraud and Abuse Act.