Hundreds of thousands of Facebook users were hit over the holiday weekend by a trick that spreads a clickjacking worm once the victim has been fooled into “liking” a page. Once that is done the action installs a Trojan and recommends the page to the victim’s friends.
According to security firm Sophos, which has taken to calling this type of exploit “likejacking,” the viral “Like” worm spotted last weekend was working its way across Facebook with messages that include the following:
- “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.”
- “This man takes a picture of himself EVERYDAY for 8 years!!”
- “The Prom Dress That Got This Girl Suspended from School.”
- “This Girl Has An Interesting Way of Eating a Banana, Check it Out!”
But clicking on these links takes Facebook users to what appears to be a blank page with just the message “Click here to continue,” according to Sophos, which describes the “likejacking” exploit in a blog post written by Sophos senior technology consultant Graham Cluley.
Cluley says clicking on any point on the page publishes the same message via an invisible iFrame to their own Facebook page, and visiting users are tricked into “liking” a page without necessarily realizing they are recommending it to all of their Facebook friends. Web-based iFrame attacks have become extremely common across the Web over the past few years.
Sophos identifies the Trojan used in this attack as Troj/Iframe-ET.
Cluley says Facebook users would benefit from reviewing their recent activity on their news feeds and delete entries related to the links described, and if necessary, remove any of the identified “likejacking “pages from the “Likes and interests” section.
Cluley says that the attackers’ rationale for the “likejacking” exploit is “likely to boil down to money. Although we haven’t seen any clear revenue motive in this latest attack, it’s possible this was a proof-of-concept by the bad guys to see how effective such a scheme could be.”
Facebook users have been hit by several types of attacks recently, including the so-called “sexy Candid Camera” attack.