See if this sounds familiar: You see an interesting link on your friend's Facebook wall, but when you click through, a pop-up window asks you to install something before you can go any further. It's a great way to build an audience for an app — just ask Viddy or those notorious social reader apps — but now that users are accustomed to the hard sell, it's opened the door to something security experts are calling Facebook's first malware epidemic.
It's a plug-in called LilyJade. It tinkers with the ad-exchange codes on every computer it reaches. And with the help of Facebook traffic, it's pulled in a quarter of a million dollars in just two weeks. Kaspersky Lab is one of many security firms labeling LilyJade a worm, but the founder, a Phoenix-based coder named Dru Mundorff, told me he prefers to think of it as an "internet marketing system." It spreads by the same principle as those infamous social readers: you'll see a link on a friend's Facebook wall and, when you click through, a pop-up prompts you to install a plug-in. If you agree, it'll start replacing every ad on your browser, directing the ad exchange money to Mundorff & Co.
Mundorff presents LilyJade as an ad-blocker-and-replacer, not unlike preexisting ad services like AdBlock that just erase ads from your brower entirely. They're not the nicest things if you want your favorite websites to make money, but they're certainly not illegal. But since the LilyJade ads can look the same as the ones they're replacing, most users will never notice the difference. Unless they remember signing up, they might never know it's there.
While the security world argues over definitions, LilyJade is facing surprisingly little legal blowback. Facebook has already filed a Cease & Desist letter, which Mundorff has promised to fight — but plugins that target ad networks are a new phenomenon, and the legal system hasn't entirely caught up. Ben Edelman, a Harvard Business School professor who specializes in online fraud, told me Facebook's case for a lawsuit is strong but, "that said, Facebook has been slow in taking action and hasn’t pursued this as aggressively as I had expected."
One reason might be Mundorff's use of the Terms of Service agreement — those blocks of tiny text that pop up with every installation and are almost always ignored. If you're installing the LilyJade plug-in, it's likely to say something like, "I allow this program to insert ads into my browser and post on my Facebook wall." But everyone's so used to skipping through the Terms of Service that nobody is likely to see that admission, and in court, Mundorff can accurately claim users agreed to everything the plug-in was doing.
Meanwhile, the ad exchanges keep paying out. AdSense, the Google-owned exchange that's buying all those sketchy impressions, keeps an eye on fradulent activity, but according to Mundorff, "only the [affiliates] that jump up like 3-million-plus in daily ads" get shut down. "As long as someone gradually moves up, they get paid." And since the ads aren't straightforwardly fradulent — real people are clicking, after all — they're unlikely to do much more than that.
Unless the courts get more aggressive, Mundorff's business is likely to be around for quite a while — and we can expect to see ad-replacing schemes like it for even longer. This isn't the first ad-inserting software the web's ever seen — and the largest threat to LilyJade is likely the same anti-virus companies like Symantec and Microsoft that tackle most adware worms. But this is the first social example, gaining traction by exploiting the same tools that were mildly annoying in the hands of startups — little hacks like frictionless sharing and over-reaching app privacy settings. Once they're turned to more mischevous ends, they start to look an awful lot like fraud.
Got a confidential tip? Submit it here.