New teacher from behind Facebook likejacking attack leads to survey scam

Filed Under: Facebook, Privacy, Social networks, Spam

Teacher from behind video thumbnailThis broken record continues to play. Yes, Facebook likejacking scams continue to plague Facebook users' walls. This one spreads to walls saying:

"New teacher from behind"

"(BADURL) When our new teacher terns towards a blackboard students are go haywire. VIDEO: New Teacher from behind"

Teacher from behind wall post

Unlike some of these likejacking scams, this one is using many different URL shorteners, including goo.gl, tiny.cc, tinyurl.com and even direct URLs to domains registered in .info and .ro top-level domains. At the time of this writing, over 6,000 people have fallen victim to the scam and the numbers continue to climb.

Teacher from behind clickjack

In a trend we are seeing more often in web-based attacks, this attack only requires that you are using a modern browser and are logged into a Facebook account. It works regardless of the operating system your device uses, including Windows, OS X, Linux, iOS, Android and more.

The best defense against clickjacking attacks is to use the Firefox browser with the NoScript add-on.

Otherwise, to avoid these types of attacks, the only remedy (which isn't exactly practical) is to be sure you are not logged in to Facebook when clicking unknown URLs. If you are not logged into Facebook, you are presented with a pop-up window asking you to login, which is an indication that it is an attempt to likejack your account.

Personally, I use one browser just for Facebook and a different browser for all of my normal internet activities. If I choose to follow a URL from a Facebook wall, I use my non-Facebook browser so I can be alerted to the attack, as well as having protection from NoScript on my side.

For more best practices on Facebook security, visit the Sophos Security Hub where we have our guide to Facebook security. To stay up to date with all the latest security news you can follow Sophos on Facebook.

, ,

You might like

12 Responses to New teacher from behind Facebook likejacking attack leads to survey scam

  1. Luke · 1280 days ago

    I discovered the same thing about the different browsers. I always open any links in the other browser, and sadly almost all of them lately have been these 'likejacking' sites.

  2. Guest · 1279 days ago

    If you do click the link.. what are you supposed to do afterwards?

  3. chris · 1279 days ago

    do i have tto change my pw now?

  4. Sam · 1279 days ago

    If you don't "like" the link but click on it, can you get infected?

    • Chester Wisniewski · 1279 days ago

      It doesn't infect your computer, it simply spams it's message out on your wall. If you didn't click the video you are OK. If you did, you will want to remove the Like from your profile.

  5. rich · 1279 days ago

    I was able to go to my profile and delete and unlike the post.

  6. jjjjj · 1279 days ago

    Facebook should have closed this vulnerability months ago.

  7. Chris · 1279 days ago

    Very informative thank you! Can I ask what browsers you are talking about?

    • Chester Wisniewski · 1279 days ago

      Personally I use Chrome and Firefox, but as long as they are 2 different browsers you can isolate your Facebook from your other clicks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.