Threat Management, Network Security, Security Strategy, Plan, Budget

Facebook click-jackers allegedly made $1.2 million per month

As Facebook grows ever bigger, its popularity among persons seeking financial gains through digital deception increases commensurately. Witness the lawsuit filed this week by Washington State Attorney General Rob McKenna against the co-owners of Adscend Media, LLC. The complaint alleges that the ad network operated by Adscend Media was intended to “encourage others to spread spam through misleading and deceptive tactics.”

Foremost among these tactics was “life-jacking“ which is a variation on “click-jacking” or tricking people into clicking links that do something other than what the clicker expects. Because legitimate companies often pay ad agencies “per click” for the display of digital ads or delivery of website traffic, a click-jacking scam rips-off the advertiser and may also deceive the ad agency that bought traffic or clicks on behalf of the advertiser, not to mention deceiving the consumer who does the clicking. This fraudulent triple-play can be very profitable. If you recall the DNSchanger scam to which the FBI put an end last November, the estimated profits were $14 million in just a few years. The click-jacking revenue figure quoted In the Adscend complaint is “gross monthly revenues of up to $1.2 million.”

For details of this scam, check out the news release from the Washington State Office of the Attorney General. Because “likes” on Facebook have considerable perceived value to advertisers, a variety of fraudulent techniques were used to generate clicks on the "Like" button, including bogus “Click here to continue” links. Facebook users temped by such salacious News Feed posts as “OMG! See what happened to his Ex Girlfriend”were fed a series of intermediary pages that harvested clicks and Likes while never presenting the promised content. At the same time, their friends were being fed links to the same bogus pages to spread and perpetuate the scam. There is an excellent description of the entire business model in the fascinating Adscend complaint filed in U.S. District Court, Seattle (pdf file).

As cyber crimes go, there are several notable features to this particular case (besides the fact that it features the first legal complaint I've seen that includes screen shots). First of all, Facebook's close cooperation with the AG in developing the complaint shows how serious Facebook is getting about prosecuting those who would abuse its functionality. (Facebook has also sued the defendants separately.) Second, the case sheds much needed light on the flakey world of salacious teaser content and bogus survey forms that prey on the gullible. Third, this could be the case that validates the CAN-SPAM Act, passed in 2003 to combat email spam, as the basis for successful prosecutions of social network abuses that do not involve email at all. The complaint argues that Facebook Wall posts, News Feeds, and Page suggestions are “commercial email messages” as defined by CAN-SPAM (15 U.S.C. § 7702(2)(A)).

One implication of a successful application of CAN-SPAM in this case could be a fine of such magnitude that it gets the attention of even hardened cyber -criminals. The complaint asserts that in February 2011 alone, the defendants' affiliates tricked 280,214 Facebook users into visiting their pages through solicitation. Each user represents at least one “spam” message. At the maximum fine of $16,000 per message under CAN-SPAM that works out to well over $4.4 billion!

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.