Facebook Sues Two Ukrainian Developers for Data Scraping
Facebook has filed a suit against two Ukrainian browsing extension makers for data scraping.
The suit has been filed on Friday, March 8 against two Kiev-based developers named Gleb Sluchevsky and Andrey Gorbachov for creating Facebook apps and browser extensions that harvested user data and also injected advertisements into users’ timelines. The developers are working for a company called the Web Sun Group and had reportedly run at least four different apps providing quizzes on various topics.
The web apps, named “Supertest,” “FQuiz,” “Megatest,” and “Pechenka,” were advertised and shared on Facebook, but were hosted on many third-party websites.
ZDNet reports, “The web apps were advertised and shared on Facebook but they were hosted on a multitude of third-party websites such as megatest.online, supertest.name, testsuper.su, testsuper.net, fquiz.com, and funnytest.pro.”
“Named “Supertest,” “FQuiz,” “Megatest,” and “Pechenka,” the web apps were mainly advertised toward Russian and Ukrainian-speaking audiences, and enticed users with themes of “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?,” among many,” the report further says.
It was in 2017 and 2018 that the two Ukrainian developers reportedly ran their scheme; Facebook claims that over 63,000 users had been made to install the malicious extensions and eventually the two were able to scrape data from the users’ profile; all this was done by prompting users to push notifications in their browsers and eventually making the same users install the extensions.
The complaint filed in court by Facebook states, “In 2017 and 2018, Defendants Gleb Sluchevsky and Andrey Gorbachov (collectively, “Defendants”) operated fraudulent web applications designed to deceive their users (“the app users”) into installing malicious browser extensions (“malicious extensions”). The malicious extensions enabled Defendants to “scrape” information from the app users’ social media profiles and inject advertisements when the app users visited different social networking sites, including Facebook.”
The complaint further reads, “Specifically, Defendants’ scraped the app users’ publicly viewable profile information (i.e. name, gender, age range, profile picture) and private (or non-publicly viewable) list of friends from various social networking sites.”
Facebook had detected the incident and identified the two developers through an investigation of malicious extensions. Once the identities were confirmed, Facebook disabled all of their known Facebook accounts, in 2018. The damages caused to Facebook as a result of these incident amounts to over $75,000, according to the complaint.
Facebook has stated in its complaint that it seeks “injunctive and other equitable relief and damages against Defendants.”’
Facebook has clarified that Gleb Sluchevsky and Andrey Gorbachov had promoted the malicious extensions on at least three official browser stores. This generally needed users to give their consent to the installation, but, as clarified by Facebook, this does not include “…consent to scrape user information (public or private), inject ads, or otherwise modify their browsing experience when visiting social networking sites.”
The scraped data were sent to servers which were in the Netherlands and which were under the control of the two developers.
ZDNet, in its report, points out that this is the second recent lawsuit being filed by Facebook. The report says, “This is Facebook’s second lawsuit of this kind. A week before, on March 1, Facebook sued four companies and three people in China for operating a network that sold fake accounts, likes and followers on Facebook and Instagram.”
Julia Sowells827 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.