Facebook Sues over Deceptive Ad Malware

On December 5, plaintiff Facebook, Inc. filed a complaint in the Northern District of California, San Francisco Division, against defendants, ILikeAd Media International Company and others (Facebook, Inc. v. ILikeAd Media International Company, Ltd., Chen Xiao Cong and Huang Tao 3:19-cv-07971) for malware and a deceptive advertising scheme. Facebook is represented by Hunton Andrews Kurth.

The complaint alleged that from 2016 until at least August 2019, ILikeAd created a deceptive advertising scheme that targeted Facebook and its users. It tricked Facebook users into installing software for their web browser that contained malware and a plugin. They installed  malware and extension allowed ILikeAd to access the user’s Facebook account and take control of their ad accounts, which is referred to as “account take over fraud”; this allowed the defendants to use “the accounts to run ads without the Facebook users’ knowledge or consent.” ILikeAd also used a technique called “cloaking” which hid the real nature of the advertisement from Facebook’s review team and process and allowed them to advertise items in violation of Facebook’s Terms of Service and Advertising Policy. Facebook notified users whose accounts were affected to verify their identity and change their passwords.

ILikeAd provided advertising solutions and services to its customers; it received a commission from sales resulting from the online traffic that they created for their customers. Named defendants Cong and Tao worked for ILikeAd as a software developer and Marketing Director for an affiliated entity, respectively.

The complaint stated, “[a]nyone with a Facebook account and page can create an ad account, through which users can create and place ads on Facebook…To pay for their ads, advertisers can input and maintain credit card or other payment information on file in their ad accounts.” This financial information is securely stored and only the last four credit card digits are visible. An advertiser must agree to various terms, policies, and conditions to create and publish an ad. These ads are subject to review by Facebook. Facebook’s Terms prevent users form unlawful, misleading or fraudulent activities and from “upload[ing] viruses or malicious code” and cloaking. Thus, ILikeAd has allegedly breached Facebook’s terms and would be able to access users’ payment information. 

An ad that used cloaking will “[disguise] the true landing page for an ad and the actual content of the landing page, in order to circumvent Facebook’s review process. A ‘cloaked’ landing page used in an ad will display content to Facebook’s automated and manual review systems that differ from that shown to actual Facebook users. The landing page displayed to the review system will promote content that falls within the bounds of the Advertising Policy, when in fact, the true landing pages displayed to users frequently promote deceptive products and services and display disallowed images.” ILikeAd’s deceptive ads with malware used this practice to work around Facebook’s review process and policies while harming Facebook users.

The complaint alleged that Cong developed the malware to compromise devices and take over Facebook ad accounts. ILikeAd “registered two domains that were encoded in the malware as command and control servers.” Tao promoted “the distribution and installation of the malicious extension online through various forums and websites.” When a Facebook user unknowingly installed the malware, it “collected and exfiltrated” the Facebook login information, which allowed Defendants to access those Facebook accounts. Cong also created malware to disable account security notifications, to hide their use of the user’s account and prevent users from reverting these changes. They were able to run ads with the user’s Facebook ad accounts and use the user’s payment information for unauthorized payment for these ads. They cloaked the ads to conceal the deceptive ads from Facebook’s review process and continue this deceptive and illegal practice.

According to the complaint, Facebook paid affected users more than $4 million for reimbursement. Facebook alleged ILikeAd violated the California Comprehensive Computer Data Access and Fraud Act and the Computer Fraud and Abuse Act in addition to breaking Facebook’s terms, policies, and agreements. Facebook seeks injunctive relief against ILikeAd’s actions and for compensatory, punitive and exemplary damages as well as unjust enrichment.