Facebook, hit by Chinese ad fraud

The social media giant sued a Chinese company which infiltrated Facebook for ad fraud. Mark Zuckerberg’s company claims that the company used malware to compromise hundreds of thousands of accounts. Then, it used them to run “deceptive ads” promoting counterfeit goods.

The company is ILikeAd Media International Company Ltd., from Hong Kong. According to court documents, on its website, the company said it provides advertising and marketing services on Facebook. The social media platform also sued Chinese software developer Chen Xiao Cong and marketing director Huang Tao, in the same case.

“Creating real-world consequences for those who deceive users and engage in cloaking schemes is important in maintaining the integrity of our platform,” said Jessica Romero, director of Platform Enforcement and Litigation and Rob Leathern, director of Product Management and Business Integrity with Facebook, in a statement.

A complex Chinese ad fraud system

It seems that Long and Tao created malware, for three years (2016 – August 2019), and tricked victims into installing it. Then, it compromised their Facebook accounts. Once installed, it would then collect Facebook login credentials from the victims’ browsers. The malware also disabled accounts’ security notifications. Thus, the victims had no idea that they lost control of their accounts. 

Then, the company used victims’ accounts to promote deceptive ads. These would promote cheap items such as diet pills and male enhancement products. They even used images of celebrities in the ads, Facebook said. According to documents, Cong and Tao also promoted the ads using victims’ payment information. The ad fraud used a method called “cloaking.” The ads deliberately disguised the true destination of the URL. This was possible by displaying one version of the landing page to Facebook’s systems and a different one to Facebook users.

“Cloaking schemes are often sophisticated and well-organized, making the individuals and organizations behind them difficult to identify and hold accountable,” according to Facebook. Facebook announced it refunded victims and helped them to secure their accounts.

According to the court, Facebook has paid over $4 million to victims for the unauthorized ads purchased using their accounts. Also, the company filed lawsuits against a few other companies for privacy and security-related reasons. Two app developers are included for click-fraud injection in August. Also, two Ukrainian men that it alleged stole data from 63,000 users, for advertising purposes.

The new California Consumer Privacy Act is going into effect on January. So, big companies are revising their privacy measures. The law demands more transparency about how the companies use and disseminate user data. Also, it requires them to give consumers a way to opt out of these actions. The penalties for noncompliance are as high as $7,500/violation.