Facebook is swept by ‘clickjacking’ scam

3 Jun 2010

Facebook users are being warned against falling victim to the latest clickjacking attack which uses a form of social engineering to get people to click on links to subjects they think their friends have ‘liked’.

Cyber security experts say the scam, which uses links such as World Cup 2010 in HD or Justin Bieber’s phone number that are apparently liked by their friends tricks users into liking the site on Facebook too.

While the current scam has no malicious intent, the mechanism could be adapted by hackers to deliver malware.

The links take the user to a page asking them to click a button if they are over 18, but when they click on the page it adds a link to their own Facebook profile saying they have liked the site.

The latest lure is a link which claims to point to a website containing a naked photo of Hayley Williams (pictured), the lead singer of the American rock band Paramore.

“What the hackers have actually done is very sneaky,” said Sophos expert Graham Cluley in his blog.

“They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you’re also secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally.

“Attacks like this can spread very very fast. Judging by the number of messages I’ve seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first into the “likejacking” trap.

“This use of a clickjacking exploit to publish the same message (via an invisible iFrame) to the visiting user’s own Facebook page works in a similar fashion to the clickjacking attacks we saw earlier this week.

“It’s clear that Facebook needs to tighten up the way it handles the ‘liking’ of external webpages before it is even more widely abused by malicious hackers and spammers.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com