Facebook sues alleged clickjacking spammer sparking row Published duration 8 March 2012

image caption Some analysts have linked Facebook's spam crackdown to an imminent stock flotation

Facebook is suing a marketing firm, accusing it of "spreading spam through misleading and deceptive tactics".

Adscend Media is alleged to have carried out "clickjacking".

The practice involves placing posts on the social network which include code that causes the links to appear on the users' homepages as a "liked" item without their permission. The links are designed to take users to other sites.

Adscend Media said it "vehemently denied" the "false claims".

Accusations

Facebook likened its security efforts to an "arms race" and said that it was committed to pursuing "bad actors".

"Facebook's security professionals have made tremendous strides against this particular form of attack and we are intent on eradicating it completely," said Craig Clark, the firm's lead litigation counsel.

"We will continue to use all tools at our disposal to ensure that scammers do not profit from misusing Facebook's services."

Washington State also filed a related lawsuit . Its lawyers said that they believed that this was the first time any state had gone to court to combat spam on the social network.

"We don't 'like' schemes that illegally trick Facebook users into giving up personal information or paying for unwanted subscription services through spam," said the state's attorney general, Rob McKenna.

Mr McKenna's office said that Adscend Media had earned as much $1.2m (£766,000) a month from the practice.

Strong denial

However, the accused firm released a statement on Friday evening which said: "At no time did we engage in the activity alleged in the complaints.

"Adscend Media strictly complies with its legal obligations under federal and state law. We are undertaking an investigation to determine whether any of Adscend Media's affiliates engaged in the activity alleged by the Attorney General's office and Facebook.

"If they did, we are fully certain that the activity was conducted without the company's knowledge."

The firm's lawyer went on to accuse the Washington State authorities of being "irresponsible".

"We find it deeply troubling that the Attorney General's office made a public spectacle of these serious allegations without first questioning the company as part of its investigatory process and, even more inexplicably, without notifying the company that the complaint was being filed," said Mark Rosenberg.

He added that Adscend Media was now prepared to pursue a defamation action against those "responsible for tarnishing the reputation of the company".

Invisible buttons

Facebook has posted an article about the case in which it explained that it believed the "scam" had worked by exploiting a vulnerability in people's internet browsers that allowed its 'Like' button to be hidden.

"Once the 'Like' button is made invisible, scammers can overlay pictures and other content, to trick the user to click on the invisible 'Like' button," it said.

"First, Facebook users are encouraged to click the 'Like' button on the scammers' Facebook Pages, which then alerts their friends to the existence of the page. Then they are told that they cannot access the content unless they complete an online survey or advertising offer."

It said one case had involved a link promising to show a man who had taken a picture of his face every day over eight years.

Facebook said that the content often had not existed, and users had been directed to third-party sites. It alleged that "the scammers receive money for each misdirected user".

Stock sale

Facebook said that less than 4% of the content shared on its site was currently spam.

The internet security firm, Sophos, acknowledged that the network was trying to combat the problem, but suggested further steps should be taken.

"Facebook tried to introduce anti-clickjacking technology to fight the problem, but it was never entirely satisfactory," said the Sophos's senior technology consultant Graham Cluley.

"What would have been good would have been if Facebook had introduced a 'confirmation' dialog every time a user 'likes' a page on a third-party website. That way, the clickjackers would have been able to trick you into clicking like but you would still have had to confirm that you really wanted to share the message with your online friends.

"In the run-up to IPO [initial public offering], we're sure to see Facebook doing more to present itself as company that is fighting security threats like this."

This is the second time this month that Facebook has accused a group of illegal activity on its site. Last week it named several Russia-based suspects who it said were responsible for a malware attack known as the "Koobface worm".