• by Wendy Davis  @wendyndavis, June 29, 2021

Facebook Tuesday sued four Vietnamese residents who allegedly perpetrated a $36 million ad fraud scheme that involved taking control of the accounts of users who worked at advertising and marketing agencies.

“Defendants misused cookies to take control of the accounts, a technique known as 'session or cookie theft,' and targeted employees of advertising and marketing agencies, which had access to large corporate ad accounts,” Facebook wrote in a complaint filed in U.S. District Court in Oakland, California.

The company says the defendants -- Them Nguyen, Le Khang, Nguyen Quoc Bao, and Pham Huu Dung -- duped users into installing an app called “Ad Manager for Facebook” from the Google Play store.

That app, which wasn't affiliated with Facebook, obtained the users' logins and passwords, which enabled the defendants to access the users' Facebook accounts and run ads without their knowledge.

The fake "ad manager" app was installed more than 10,000 times between December of 2020, when it appeared on the Play store, and last month, according to Facebook's complaint.

Google removed the app last month, according to Facebook's court filing.

Facebook also says that on Friday, it disabled Facebook and Instagram accounts created or controlled by the defendants. Before Facebook moved to block the defendants, they allegedly ran at least $36 million of unauthorized ads, including for products one of them sold through his own e-commerce site.

Specifically, Facebook alleges that Nguyen “used cookie theft to obtain access to Facebook accounts and run ads for some of his own e-commerce sites that sold t-shirts, mugs, and other merchandise.”

The defendants not only ran approximately 10,000 ads on Facebook and Instagram, but also “offered compromised accounts for rent to other Facebook users,” according to the complaint.

For instance, in March the defendant Dung Ma allegedly “offered users in Vietnam the ability to rent access to compromised accounts to promote products through live video ads.”

The company claims the men violated Facebook's terms of service, as well as California and federal anti-hacking laws. Facebook is seeking monetary damages of at least $36 million, and a court order prohibiting the defendants from accessing the site.

Facebook also brought a second lawsuit Tuesday against N&J USA Incorporated and two individuals -- Mohit Melwani, and Vishaal Melwani -- over an alleged bait-and-switch scheme.

The social-networking platform alleges in that matter that N&J USA and the others ran ads on Facebook that promoted clothing, watches and toys sold on third-party websites, but that users who made purchases either didn't receive anything or received inferior products.

“In an effort to conceal their bait-and-switch scheme on Facebook, the defendants blocked and concealed user complaints and negative reviews on their Facebook Pages,” Jessica Romero, director of platform enforcement and litigation at Facebook, stated Tuesday.

She added that Facebook previously disabled some of the accounts and pages associated with that scheme.