Facebook Users Hit with Clickjacking Worm

 
 
By Brian Prince  |  Posted 2010-06-01
 
 
 

A new clickjacking worm targeting Facebook users is spreading on the social network site.

According to Sophos, hundreds of thousands of Facebook users fell victim to the worm during Memorial Day weekend. The ruse relies on social-engineering users into clicking on links with messages that include: "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE," "This man takes a picture of himself EVERYDAY for 8 YEARS!!" and "The Prom Dress That Got This Girl Suspended From School."

"Some of the Web pages had over 300,000 people 'liking' them," Graham Cluley, senior technology consultant at Sophos, told eWEEK.

Essentially, the clickjacking attack tricks users into marking a page "like" without realizing it and then recommending the page to their Facebook friends. Clicking on the link takes users to what appears to be a blank page that reads, "Click here to continue." Clicking anywhere on that page publishes the initial message (via an invisible iframe) on the victim's Facebook page.

So far, there is no data-stealing element to the worm, Cluley said, though it is possible the worm is a "proof-of-concept test run before attempting something more malicious, or that the bad guys were planning to post some revenue-generating adware or click-traffic to other sites."

The attack is one of a few involving malicious links that have hit Facebook in the past few weeks. Another was the Distracting Beach Babes application, which was spammed out in order to spread adware.

Facebook spokesperson Barry Schnitt said the company has moved to block the URL associated with the malicious site, and is cleaning up the accounts where it was posted. He added that Facebook is always working to improve its systems and is "building additional protections against this type of behavior." He also advised users against clicking on suspicious links, regardless of whether they are posted by friends or not.

Cluley warned that Facebook needs to be careful about how it deals with malicious links as it pushes personalization.

"I think they need to look long and hard [at] how they are integrating the 'like' functionality into third-party sites," Cluley said. "In their quest to make it easy and unobtrusive for users to say that they 'like' an external site, they've made it far too easy for bad guys to invisibly manipulate the system and spread their spam."

Users who have been hit by the attack should check the recent activity news feed and delete entries related to the links, as well as remove any of the pages from their "Likes and interests" section.

Editor's Note: This story was updated to include a response from Facebook.

Rocket Fuel