Facebook Alleges Company Infiltrated User Accounts for Ad Fraud

facebook ad fraud malware

Facebook has paid over $4 million to victims to reimburse them for the unauthorized ads purchased using their ad accounts.

Facebook has sued a Chinese company that it alleges used malware to compromise hundreds of thousands of user accounts – and then used them to run “deceptive ads” promoting counterfeit goods.

The company in question is Hong Kong-based ILikeAd Media International Company Ltd., which was incorporated in 2016. On its website (ilikead.com, which appears to be down) the company said it provides advertising and marketing services to businesses interested in advertising on Facebook, according to court documents. Facebook also sued Chinese software developer Chen Xiao Cong and marketing director Huang Tao in connection with the scheme.

“To protect Facebook users and disrupt these types of schemes, we will continue our work to detect malicious behavior directed towards our platform and enforce against violations of our Terms and Policies,” said Jessica Romero, director of Platform Enforcement and Litigation and Rob Leathern, director of Product Management and Business Integrity with Facebook, in a Thursday statement. “Creating real-world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform.”

Between 2016 up until August 2019, Cong and Tao allegedly created malware, tricked victims into installing it, and then compromised their Facebook accounts. The malware was promoted through various forums and websites; once installed, it would then collect Facebook login credentials from the victims’ browsers, enabling access. The malware also disabled accounts’ security notifications so victims were unaware they were compromised, court documents said.

Once infected by malware, the company used victims’ accounts to promote deceptive ads would promote shoddy items such as diet pills and male enhancement products, sometimes using images of celebrities in the ads to entice people to click on them, Facebook said. Cong and Tao were also allegedly able to promote the ads using victims’ payment information connected to their ad accounts.

These ads used a method called “cloaking,” where they deliberately disguised the true destination of the URL in the ad by displaying one version of an ad’s landing page to Facebook’s systems and a different version – usually hosting malicious content – to Facebook users.

“Cloaking schemes are often sophisticated and well-organized, making the individuals and organizations behind them difficult to identify and hold accountable,” according to Facebook. “As a result, there have not been many legal actions of this kind. In this case, we have refunded victims whose accounts were used to run unauthorized ads and helped them to secure their accounts.”

Court documents said that Facebook has paid over $4 million to victims to reimburse them for the unauthorized ads purchased using their ad accounts.

Facebook has filed lawsuits against a slew of other companies for privacy and security-related reasons, including two app developers over click-fraud injection in August and two Ukrainian men in March that it alleged stole data from 63,000 platform users for advertising purposes.

Mike Bittner, director of Digital Security and Operations for The Media Trust, said that with the California Consumer Privacy Act (CCPA) going into effect Jan. 1, companies like Facebook (and Microsoft, among others) are revisiting privacy measures of their platforms. The law demands more transparency from companies about how user data is being used and disseminated and requires them to give consumers a way to opt out of these actions.

“With CCPA enforcement just a few weeks away, it makes sense for covered platforms and websites to start enforcing their privacy and security policies and hold errant or malicious third parties to account,” Bittner, said in an email. “The penalties for noncompliance are high, especially those linked to the law’s Private Right of Action, which can amount to $7,500 per violation.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles