Monday, May 31, 2010

Alert: Facebook Clickjacking Attack Spreading Through ‘Likes’

Leave a Comment

Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed afacebook-bug clickjacking worm to spread quickly over Facebook this holiday weekend.

A new clickjacking worm is spreading through Facebook via the ‘Like’ feature.

The attack, which is said to have hit hundreds of thousands of users, uses a combination of social engineering and clickjacking exploit makes it appear as if a user has “liked” a link.

Affected profiles can be identified by seeing that the Facebook user has apparently "liked" a link:Girl gets owned after a police officer reads her status messageMessages seen being used by the spammers include:

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

Clicking on the links takes Facebook users to what appears to be a blank page with just the message "Click here to continue".

Click to continue

However, clicking at any point of the page publishes the same message (via an invisible iFrame) to their own Facebook page, in a similar fashion to the "Fbhole" wormwe saw earlier this month.

The trick, which uses a clickjacking exploit, means that visiting users are tricked into "liking" a page without necessarily realising they are recommending it to all of their Facebook friends.

Unfortunately, as we're all too aware, messages such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School." and "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"are exactly the kind of content that people will click on on Facebook.

Sophos detects the offending webpages as being infected by Troj/Iframe-ET.

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

via: sophos

0 comments :

Post a Comment

Subscribe