Facebook and the state of Washington have filed separate lawsuits against a US company alleging it spread malware through Facebook and stole users' personal information.
The suits filed in two US district courts contend that Adscend Media defrauded users through an advertising network that it operated as a type of phishing scam.
They also claim the company was aware and encouraged its affiliates to engage in the alleged scam.
The Washington suit also alleges that the activity violates the state's Commercial Electronic Mail Act (CEMA) because Adscend aided its affiliates.
The complaints named Jeremy Bash and Fehzan Ali, as well as Adscend Media, as defendants.
In a post on the Adscend Media website, the company called the allegations “absolutely and unequivocally false.”
But the company pledged to stop working with any affiliates that may have been involved.
In its complaint, the Washington attorney general's office included a series of screen shots that demonstrated the alleged infractions, starting with a Facebook post that attempts to lure users to click on a link to see an erotic video.
Users were sent to fake age-verification page that contained what the complaint described as a “content-locking widget” that would activate the Facebook Share button and spread malware to the victims' friends pages.
Victims were then directed to other malicious pages that attempted to steal personal information, the suit alleges.
In addition, the suit claims Adscend affiliates were paid for each user who completed a survey on the fraudulent pages.
The complaint alleges violations of the CAN-SPAM Act and seeks court orders blocking Adscend from accessing Facebook and targeting users.
Neither suit asks for specific damages, although both ask that damages for the CAN-SPAM Act be tripled.
The state also is asking for damages of $US2000 ($A1874) per violation of CEMA.
Browser add-ons including no-script plug-in for Firefox would alert users to scripts loaded from external pages, Team Cymru's Marcel van den Berg said.