Naked Security Naked Security

Facebook suing ILikeAd for hijacking users’ ad accounts

Facebook says the company used celeb bait links to infect victims with malware and hijacked their ad accounts to sell diet pills.

Facebook has sued a company for allegedly inflicting a malicious extension on victims’ browsers to steal their Facebook logins, take over their ad accounts, run bad ads, and then use the victims’ own payment information to pay for the ads.

The company filed the suit on Thursday. It’s against a Hong Kong company called ILikeAd Media International Company Ltd. and against two individuals: Chen Xiao Cong and Huang Tao.

According to the complaint, ILikeAd promoted itself as a “one-stop comprehensive solution to advertisers” hoping to market their wares on Facebook.

Facebook said that the defendants sometimes used celebrities’ photos to lure people into clicking on the deceptive ads – a practice known as “celeb bait.”

Facebook alleges that starting around 2016, Tao created the malicious extension and registered two domains to serve as command and control servers. They promoted it through various sites and forums. When victims installed the extensions, the malware stole their Facebook logins.

Facebook alleges that Cong, on behalf of ILikeAd, designed the malware to disable security notifications in order to let it run under the radar, with victims being none the wiser.

That’s not the only notification that the malware disabled. ILikeAd allegedly used the malware to extract data that showed whether the victims had an ad account, had previously paid for ads, how much they spent, and the balance on their ad account. The malware enabled ILikeAd to allegedly run ads via their victims’ ad accounts – and on the victims’ dime.

Like the disabled security notifications, the malware also turned off notifications that would have alerted users that an unrecognized device had accessed their account and that ads had been run on it. It also locked in those changes, meaning that victims couldn’t revert to turning the notifications back on.

The ads that ILikeAd allegedly ran on the hijacked ad accounts were meant to deceive: according to the complaint, the ads directed users to landing pages associated with counterfeit goods, male enhancement supplements, and diet pills, all of which violate Facebook’s Advertising Policies.

In order to sidestep the platform’s ad review, Facebook says that ILikeAd used “cloaking”: a way to disguise a link’s true destination by showing one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users.

Facebook said in the complaint that it’s paid out more than $4 million to reimburse the victims for the bad ads that were run on their accounts. It also said that ILikeAd is still running the scheme.

It’s looking for a permanent injunction against ILikeAd and everybody who works for it and wants an unspecified amount in damages, restitution and court costs.

Jessica Romero, Facebook’s director of platform enforcement and litigation:

Creating real world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform.

About a year ago, Facebook itself got lawsuited into creating a scam ads reporting tool, and donating £3m to a consumer advocate group, by UK financial expert Martin Lewis.

Lewis’s name and face had been slathered on all sorts of financial scams that he’d never endorse. He wound up dropping the lawsuit he brought against Facebook over the frauds: to Facebook’s credit, it responded without a court order.

Facebook is not the only one dealing with bad ads. Around that time, there was a rash of YouTube subscribers getting spammed by celebrity imposters.

Fighting social media-delivered, fake-celebrity-encrusted flimflam is like playing whack-a-mole: smack down one, and another pops up. If Facebook’s allegations in this lawsuit prove true, we’re talking about a mole that’s packing malware, so good luck to the platform in its hunt.