Facebook clickjackers said to make over $1 million a month, agree to stop spam

Filed Under: Clickjacking, Facebook, Featured, Law & order, Social networks, Vulnerability

A firm at the centre of allegations that its affiliates flooded Facebook with spam and clickjacking attacks has agreed to clean up its act - after earning up to $1.2 million per month in gross monthly revenues.

Example of clickjacking spam on Facebook

According to the Washington State Attorney General's Office, Delaware-based Adscend Media LLC and its co-owners Jeremy Bash of Huntington, West Virginia and Fehzan Ali, of Austin, Texas, have agreed to properly monitor its CPA (cost-per-action) affiliate network, and clearly mark any distributed messages in future to make clear that they originate from an affiliate earning sales commission.

If you are a Facebook user chances are that you have seen clickjacking/likejacking survey scams in your friends' newsfeeds, but here's a quick summary of how they work and how affiliate schemes can earn money by directing people like you to their scams.

The first thing you see is an apparent message posted by one of your Facebook friends, typically promoting a link to some salacious content or the ability to find out how to find out who has been viewing your Facebook profile.

Facebook scam

Examples of such messages that we have seen in the past include "Lady Gaga found dead in hotel room", "Japanese Tsunami Launches Whale Into Building", naked photos of a female popstar and "101 Hottest Women in the World".

If you click on such a link you may be taken to a website like this, inviting you to "Like" the link with your own Facebook friends - thus sharing the web link virally.

Facebook scam

This "bait" webpage has been created by an affiliate.

Companies like Adscend have been paid by advertisers to drive traffic to their sites. Adscend in turn pays affiliates for the traffic that they generate when a specific action is taken by the visiting user on the website, such as participating in a survey or handing over their details in the hope of receiving a gift card.

So, pressing the "Like" button helps the affiliate, as it spreads their link further across the social network and potentially act as bait to encourage others to click on the link too.

But they and Adscend will only receive money if they manage to convince users to take some other action as demanded by the original advertiser. For this reason, the scammers hide the promised content behind a gate.

Facebook scam

In the example above, the gate pretends to be a Facebook age verification notice. Of course, the message is not connected with Facebook at all - and is only a cunning piece of social engineering to try to trick you into going further.

In this case, the "Jaa" button clickjacks the user into unwittingly sharing the link further with their Facebook friends.

At this point, yet another gate is typically displayed. This time it urges the user to take a survey or complete a form to view the content they were originally anticipating.

Facebook scam

In the meantime, Adscend is silently tracking which of its affiliates successfully lured the user into visiting the survey page.

Note that there was no mention of the survey when the user was initially presented with a link about a guy who took a photo of his face every day for eight years, or a seedy video about an ex-girlfriend.

According to the Washington State Attorney General's Office, Adscend - the company run by Bash and Ali - knew that their affiliates were using spam to distribute links to Facebook users, and in some cases had actually reviewed and approved the advertising campaigns of their affiliates before they were run!

Even though Adscend knew about the spamming, they continued to permit the activity because of the substantial amount of money they were making from the scheme.

An earlier document submitted to the court stated:

"The vast majority of the Defendants' revenue is obtained through Facebook advertising. At the inception of Defendants' business, approximately 80% of their income was derived from Facebook solicitations. Their income has included gross monthly revenues of up to $1.2 million. As an example of Defendants' ability to obtain advertising traffic, in Febuary 2011, their affiliates tricked 280,214 Facebook users into visiting their 'locked content' pages through spam solicitations."

In a settlement between the authorities and Adscend Media LLC, the company has agreed that messages sent by its affiliates should no longer appear to come from Facebook friends, mark its promotions clearly as adverts, and should put in place a monitoring program to detect suspicious behaviour, deleting offending webpages, send warnings to affiliates if they breach guidelines, and entirely erasing accounts if affiliates break the rules more than once a month.

In addition, Adscend is required to pay $100,000 in costs.

Some might view this settlement as Adscend getting away very lightly - certainly $100,000 costs is peanuts compared to the revenue that the advertising firm is alleged to have generated.

A CNet report, quotes Adscend boss Fehzan Ali as saying that the settlement calls for his company to do much of what it is already doing to prevent clickjacking, and that the attorney general's estimate of the company's sales were "insanely" inaccurate:

"Our total revenues are a fraction of that."

Last week, Facebook dropped a separate lawsuit against Adscend Media in the US District Court for the Northern District of California.

Facebook dismisses case against Adscend

If you use Facebook and want to get an early warning about the latest attacks, security issues and privacy threats you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.

, , , , , , ,

You might like

7 Responses to Facebook clickjackers said to make over $1 million a month, agree to stop spam

  1. calavier62 · 812 days ago

    Adscend should be charged with the Computer Misuse act of 1996 and fraud at the LEAST. What's $100,000 going to do? Certainly not prevent them or somebody else from doing it again.

  2. Rob · 812 days ago

    A Class-Action lawsuit or similar would probably be needed to gain any measure of justice from these charlatans.

    It's shady, I think criminal, business to mislead & misrepresent to hundreds of thousands of people, make millions off of them being mislead & then receive a paltry slap-on-the-wrist. I only got taken in by the very first wave of this clickjacking practice but it persisted for months for friends & I'm sure has led to arguments that need not have happened.

    They need to be made an example of, this verdict practically gives a green light for others to repeat the practice, I'd not be surprised to see other outfits take on the same modus operandi.

  3. kurt wismer · 812 days ago

    the so-called "gates" pictured above seem to match (at least visually) what the company's ceo fehzan ali describes as "content locking" in this video http://www.youtube.com/watch?v=MKGucGzGgNo

  4. Zach · 811 days ago

    I appreciate what Sophos does, but this article is slanted. I'm very familiar with Adscend Media and other content locking programs, and I can tell you that Adscend not only didn't allow it but that Sophos of all people should know that they were not the problem that you're trying to paint them as now. This is easily proven by looking at past Sophos articles. Google "site:sophos.com adscend", and other than the news about the lawsuits, you'll find one article. Now google "site:sophos.com cpalead" and you'll find dozens and dozens of articles that show that company as being connected to Facebook scams. I could find many more that don't mention them but which contain a screenshot which proves that it is their content lock widget that's being used. (You link to past articles in your story, implying that they're related to Adscend, but there's no indication that they, and one of them I could say for sure isn't because of the screenshot).

    So why paint this the way that you have? You even use bold-face font to emphasize something that isn't proven to be true. I look at all of the facts and I see nothing but signs of Adscend's innocence. Have you looked into the history of the lawsuit at all? It's been pointed out elsewhere already that the Attorney General voluntarily dropped 2/3 of their case before this was settled. Why would they do that if it was a good case? Also, that the $100,000 is said to be for the AG's attorneys' fees. It's not even a fine. So if all they got was their own costs back to them, that says a lot about the strength of it all.

    People reading this should THINK before harping on a company based on stories like this. I hope that if the other companies that were doing Facebook spam aren't taken to court as well that this at least puts an end to it all. It's just sad to see a good company get dragged through the mud. And sad that it took so long for Facebook or anyone else to take these matters seriously. Sophos has been reporting on it for a long time.

  5. Yonge Man · 811 days ago

    At least someone is making money advertising on Facebook.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.