Cheerleaders Gone Wild clickjacking spreads virally across Facebook

Filed Under: Clickjacking, Facebook, Social networks, Spam

We're seeing many messages right now being posted from the accounts of Facebook users saying:

Cheerleaders gone wild - have to see this

accompanied by the image of a midriff-baring cheerleader carrying two pom-poms.

Cheerleaders gone wild message on Facebook

If that's enough to tempt you into investigating further, you may well click on the link which will take you to the following Facebook page:

Cheerleaders gone wild page on Facebook

The page claims that the content you are about to access is "inappropriate for some users" as it "may contain shocking graphics, nudity or disrespect other individuals". The warning (which is designed to appear like an official Facebook message) asks you to confirm that you are 18 years old or older before you can proceed.

With your appetite now whetted, you are next prompted to press the numbers 1, 2 and 3 in a particular order to prove that you really are a human being.

Cheerleaders gone wild ask you to press buttons

Unfortunately for you, when you click on the buttons you are really being clickjacked. You may think you are just pressing numbers in a particular sequence, but in fact your mouse clicks are invisibly confirming that you "Like" the "Cheerleaders gone wild" page (something that you may not want your friends and family to see), which gets communicated to other Facebook users via your newsfeed.

Cheerleaders gone wild update

Furthermore, you were also clickjacked into liking pages called Funniest Videos On the Web" and "Free ringtones every day". But you may not realise this unless you examine your profile carefully and check your list of "liked" pages.

Account with additional 'liked' pages

But you probably haven't noticed any of this, of course, because by now you are watching a YouTube video of a group of young cheerleaders up to antics which, quite frankly, I didn't find at all shocking and didn't involve any nudity. At least that was the case when I checked it out.

Cheerleaders gone wild video

Of course, there was no need to help the spammers by jumping through all these hoops in order to watch the video - you could have just seen it on YouTube.

If you were hit by this latest Facebook scam, clean up your profile and remove references to the "Cheerleaders Gone Wild" and other pages.

You should always be wary of suspicious out-of-character posts made by your Facebook friends. If you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.