Malware City/Blog/

Jun
01
Filed Under:
MISCELLANEOUS

The Unwary Facebook® User Might Accidentally “Like” Clickjacking Worm

01 June 2010
A documented feature in Facebook became a security breach these days: a transparent iFrame placed exactly on the “like” button redirects users to various Web pages hosted on the blogspot.com free blogging platform. This attack uses a technique widely known under the name clickjack.

 

Clickjacking is an old method that (as its name stands for) hijacks user’s mouse clicks on a page in order to force ill-intentioned web activities. A hidden or transparent iframe is placed on top of a legitimate button which is most likely known by users. Once they click what they know to be there - usually a message box - they are immediately redirected to a different page and asked to fill in forms, confirm their credentials, answer some questions or further click other links. Of course, this page looks legit and trustworthy so that the unwary Internet user has no idea what happened.

Social networking platforms are mostly targeted by this kind of attacks. The explanation is simple: a lot of people use them for socialization reason; hence their popularity. Moreover, the extensive database of such a community lures a significant number of cybercriminals inciting their ill-intentioned creativity.   

The most recent Facebook clickjacker blends the documented feature of registering an anonymous "like" button without adding extra security checks with highly enticing comments, such as those depicted below:.

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School.""This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

 

< iframe allowTransparency='true' frameborder='0' id='fbframe' 
name='fbframe' scrolling='no' s r c='hxxp://www.facebook.c om/plugins/like.php?href=http%3A%2F%2Fgirlownedbypolicelike.blogspot.com%2F'
style='border:none; ... See Moreoverflow:... See Morehidden; width:50px; height:23px;'>< /iframe >
 

Facebook

Upon clicking the infamous “like” button, users access transparent iframe which sends them towards various blogspot.com-hosted web pages. In some cases, they reach an apparently blank page with a “click here to continue” message or they are asked to fill in a questionnaire. Due to Facebook’s popularity and their extensive user base, this social networking service has become not only a preferred target of information harvesters, but also the favorite playground for commercial purposes (such as disseminating adware, making users click on ads or filling in forms). Now imagine that each form filled by the unwary Facebook user brings the hijacker a specific revenue times the number of lured users and you’ll see why clickjacking is that popular.

Facebook has been notified and these abusive pages have been suspended.





By Loredana Botezatu
Loredana sees in BitDefender a new challenge and a fresh approach to her professional development. Her enthusiasm, curiosity and, of course, lots of research, are some of the features that make her a competitive player in the security industry.

Related

01-06-2010 | Computer bug spreading to humans

31-05-2010 | Facebook® Privacy?

30-03-2010 | Phishers Deliver new Egg(TM) Recipe

19-03-2010 | Banker Trojans - Who’s been spying on you lately?

Comments:

MT said on Jun-9-2010 09:52

One possible way to tell a legit "like" from a scam would be to mouse over the word "like". Legitimate ones will show a tooltip saying "Click here to like this item". I've seen a couple of questionable ones that when mousing over, that tooltip does NOT appear.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.