A firm at the centre of allegations that its affiliates flooded Facebook with spam and clickjacking attacks has agreed to clean up its act - after earning up to $1.2 million per month in gross monthly revenues.
According to the Washington State Attorney General's Office, Delaware-based Adscend Media LLC and its co-owners Jeremy Bash of Huntington, West Virginia and Fehzan Ali, of Austin, Texas, have agreed to properly monitor its CPA (cost-per-action) affiliate network, and clearly mark any distributed messages in future to make clear that they originate from an affiliate earning sales commission.
If you are a Facebook user chances are that you have seen clickjacking/likejacking survey scams in your friends' newsfeeds, but here's a quick summary of how they work and how affiliate schemes can earn money by directing people like you to their scams.
The first thing you see is an apparent message posted by one of your Facebook friends, typically promoting a link to some salacious content or the ability to find out how to find out who has been viewing your Facebook profile.
Examples of such messages that we have seen in the past include "Lady Gaga found dead in hotel room", "Japanese Tsunami Launches Whale Into Building", naked photos of a female popstar and "101 Hottest Women in the World".
If you click on such a link you may be taken to a website like this, inviting you to "Like" the link with your own Facebook friends - thus sharing the web link virally.
This "bait" webpage has been created by an affiliate.
Companies like Adscend have been paid by advertisers to drive traffic to their sites. Adscend in turn pays affiliates for the traffic that they generate when a specific action is taken by the visiting user on the website, such as participating in a survey or handing over their details in the hope of receiving a gift card.
So, pressing the "Like" button helps the affiliate, as it spreads their link further across the social network and potentially act as bait to encourage others to click on the link too.
But they and Adscend will only receive money if they manage to convince users to take some other action as demanded by the original advertiser. For this reason, the scammers hide the promised content behind a gate.
In the example above, the gate pretends to be a Facebook age verification notice. Of course, the message is not connected with Facebook at all - and is only a cunning piece of social engineering to try to trick you into going further.
In this case, the "Jaa" button clickjacks the user into unwittingly sharing the link further with their Facebook friends.
At this point, yet another gate is typically displayed. This time it urges the user to take a survey or complete a form to view the content they were originally anticipating.
In the meantime, Adscend is silently tracking which of its affiliates successfully lured the user into visiting the survey page.
Note that there was no mention of the survey when the user was initially presented with a link about a guy who took a photo of his face every day for eight years, or a seedy video about an ex-girlfriend.
According to the Washington State Attorney General's Office, Adscend - the company run by Bash and Ali - knew that their affiliates were using spam to distribute links to Facebook users, and in some cases had actually reviewed and approved the advertising campaigns of their affiliates before they were run!
Even though Adscend knew about the spamming, they continued to permit the activity because of the substantial amount of money they were making from the scheme.
An earlier document submitted to the court stated:
"The vast majority of the Defendants' revenue is obtained through Facebook advertising. At the inception of Defendants' business, approximately 80% of their income was derived from Facebook solicitations. Their income has included gross monthly revenues of up to $1.2 million. As an example of Defendants' ability to obtain advertising traffic, in Febuary 2011, their affiliates tricked 280,214 Facebook users into visiting their 'locked content' pages through spam solicitations."
In a settlement between the authorities and Adscend Media LLC, the company has agreed that messages sent by its affiliates should no longer appear to come from Facebook friends, mark its promotions clearly as adverts, and should put in place a monitoring program to detect suspicious behaviour, deleting offending webpages, send warnings to affiliates if they breach guidelines, and entirely erasing accounts if affiliates break the rules more than once a month.
In addition, Adscend is required to pay $100,000 in costs.
Some might view this settlement as Adscend getting away very lightly - certainly $100,000 costs is peanuts compared to the revenue that the advertising firm is alleged to have generated.
A CNet report, quotes Adscend boss Fehzan Ali as saying that the settlement calls for his company to do much of what it is already doing to prevent clickjacking, and that the attorney general's estimate of the company's sales were "insanely" inaccurate:
"Our total revenues are a fraction of that."
Last week, Facebook dropped a separate lawsuit against Adscend Media in the US District Court for the Northern District of California.
If you use Facebook and want to get an early warning about the latest attacks, security issues and privacy threats you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.Follow @NakedSecurity