Facebook Attacks Clickjackers

January 30, 2012

Today The Official Merchant Services Blog takes a look at one of the latest and most twisted developments in online marketing: Clickjacking. This topic comes up because of a new lawsuit that is making the news. Facebook has filed a lawsuit against the company Adscend Media. The suit claims Adscend developed targeted spam campaigns and encouraged others to spread spam using a variety of tactics — including clickjacking.

According to Wikipedia, Clickjacking — also called User Interface redress attack, UI redress attack, or UI redressing — is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Joining Facebook in filing against Adscend Media was the Washington State Attorney General Rob McKenna. A statement released by McKenna says: “We don’t ‘like’ schemes that illegally trick Facebook users into giving up personal information or paying for unwanted subscription services through spam. We applaud Facebook for devoting significant technical and legal resources to finding and stopping scams as soon as possible – and often before they even start. We’re proud to join forces in order to protect Washington consumers.”

In addition to Adscend, Jeremy Bash and Fehzan Ali, co-owners of the company, are named in the suit.

Jacking for Likes

Here’s how clickjacking scams, such as the ones described in this lawsuit, work:

Host Merchant Services image for Clickjacking scams

Scammers design Facebook Pages to look like they will offer visitors an opportunity to view provocative content. They then require the user to complete a series of steps before they can view the content. These steps are designed to lure Facebook users into visiting websites that deceive them and get them to reveal their personal information. In terms of what this particular lawsuit is focusing on, Facebook users are encouraged to click the “Like” button on the scammers’ Facebook Pages. These like-clicks then alert the user’s friends to the existence of the scammers’ page. Then they are told that they cannot access the content unless they complete an online survey or advertising offer.

In one example noted in the complaint, the scammers overlay the Facebook “Like” button with a link that promises to reveal the results of: “This man took a picture of his face every day for 8 years!!” Of course, the promised content often does not exist and the tricked user is then directed through a series of prompts taking them off of Facebook and through a host of unrelated advertising and subscription service offers, where the scammers receive money for each misdirected user.

In another example, a Facebook user would see a link to a video on a friend’s wall. If the user clicked on the link, a pop up would appear asking the user to verify their age. Clicking on the verification box, the user would unknowingly share the video on their own Facebook wall.

In some cases, Facebook users don’t even need to click the “like” button to spread the spam on their Facebook pages. In the process called “clickjacking,” a hidden code in enticing-looking links activates Facebook’s “like” function and puts it on the users’ friends’ news feeds.

Host Merchant Services Image detailing how Clickjacking Scams work

How this Affects SEO

We bring up this lawsuit to draw attention to this black hat and negative advertising practice. It can have a big impact on SEO and online marketing for businesses. Spam is never good and so on the most basic level if you get your own Facebook page wrapped up even indirectly with this type of scam, Facebook could take action against your business page. Beyond just that, there’s the negative PR that comes from being linked to a spam scam. If people think you are spamming them, you’ll lose more “fans” and “likes” than you would ever gain by the scam campaign.

Facebook is a powerful marketing tool, but as a merchant you should be aware of the pitfalls and obstacles you can encounter while using it. Stay on top of issues like this, and you can avoid any potential long-term harm to your SEO and consequently your business.

What to do if You Get Scammed

If you do make the mistake of clicking on a link spread via a clickjacking scam, follow these easy tips to lessen the damage:

  • Check your Facebook news feed and remove any offending links that you might have spammed out to your friends.
  • Hover your mouse over the top right hand corner of the post and you should see a small “x” which will allow you to remove it.
  • If you entered your mobile phone number, you should keep a close eye on your cellphone bill and notify your carrier to prevent bogus charges from stinging you in the wallet.
  • Remember to be wary of any suspicious links. If you really want to watch a video chances are that it’s available for free — without you having to complete any surveys — on legitimate video sites like YouTube.

Facebook logo

Going forward, it’s essential that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Keep following The Official Merchant Services Blog, or the Host Merchant Services Facebook Page, as we routinely update both with the latest news and information on any tech industry issues that affect businesses and merchants.

Adscend Denies Clickjacking

According to this Computerworld article, Adscend Media has denied the allegations filed against them. The company said in its own statement responding to the filing of the two lawsuits, “At no time did we engage in the activity alleged in the complaints.”

The article also states that Adscend is pointing the finger at its own affiliates, claiming their customers shoulder the culpability: “Adscend is hired by advertisers that pay the company each time someone clicks on their page or advertisement. Adscend in turn often hires affiliates to drive traffic to the sites. It’s those affiliates that Adscend is now pointing a finger at. ‘We are undertaking an investigation to determine whether any of Adscend Media’s affiliates engaged in the activity alleged by the Attorney General’s office and Facebook. If they did, we are fully certain that the activity was conducted without the company’s knowledge,’ the company said in its statement.”

Adscend Media LLC Logo

The Washington Attorney General’s office doesn’t buy that claim and replied in the suit that: “Defendants create and provide their affiliates with technology that is designed to deceive Facebook users into visiting websites that pay defendants for the referral traffic. Defendants encourage and pay their affiliates to create Facebook pages that are titled and designed to ‘bait’ users into visiting other websites.”

Save Time, Money, & Resources

Categories

Industry News

Contact HMS

Ready for the ultimate credit card processing experience? Ask us your questions here.