Facebook adds speed bump to slow down likejackers

Filed Under: Clickjacking, Facebook, Privacy, Social networks, Spam

Facebook logoApproximately two weeks ago, Facebook deployed a new security countermeasure to attempt to alert users to the scam tactic known as "likejacking."

Likejacking is a technique in which a spammer creates a website that portrays a fake YouTube-like video player, or other visual lure, and convinces you to click on a button to perform some seemingly normal action, like viewing the video.

What really happens is that you are clicking a Facebook "Like" button that has been hidden underneath the images using a method of coding a webpage called UI redressing.

In the past year, many attacks against Facebook have exploited this technique. Part of the issue with clickjacking/likejacking/UI redressing is that it is technically allowed in the HTML specification.

Facebook like buttonWe have been urging Facebook to require a popup when users click "Like" that warns them that they are choosing to Like something, to ensure they are aware that their click may have been hijacked.

Facebook has responded by implementing a new system that is designed to detect anomalous "Like" patterns and require an additional confirmation for pages that trigger this mechanism. While precise details of how this system detects malicious "Likes" are not available, I have seen it in action and it follows many of the suggestions we have made.

A page that triggers this behavior will display a normal Like button at first. When you click the button (either intentionally, or accidentally in the case of clickjacking) the button changes to Confirm rather than instantly Liking the page.

If you click the button again, it triggers a popup message explaining that you are trying to like the page. This popup is in a separate window, which is important. By making it a popup, they escape the control of the attacker and the page can no longer be modified by the malicious website.

Marika Fruscio likejack

The technical approach to solving this problem is valid, but Facebook's detection algorithm only seems to work in rare instances. Since the deployment of this technology, I have only seen it trigger in a few likejacking attacks.

Trying to anticipate scams from user behavior is difficult, if not impossible, and large numbers of users would have already fallen prey to the scams before the algorithm that was designed to protect them triggered.

Rather than allowing undetected fraudsters to continue to fly under the radar, the ideal solution would be to provide the verification popup whenever a user wishes to Like a page.

An additional problem is that the warning message displayed does not adequately alert a user that they may be falling for a scam. Many of these scams inform the user they must Like the page to see the salacious content.

Simply confirming that the user wishes to Like the page does not give them any good reason not to. Why not tell users that Facebook suspects this page may be malicious?

It's encouraging that Facebook is working on this problem, but their solution doesn't go far enough.

, , , ,

You might like

10 Responses to Facebook adds speed bump to slow down likejackers

  1. Krzysztof Kotowicz · 1303 days ago

    If Facebook uses some heuristics to detect likejacking scams, why don't they block the sites in a first place instead of making it harder to like the page? Detecting likejacking scams is trivial and requries little human intervention, if any.

    All the clickjacking websites I've analyzed in the past are pretty basic and follow the same pattern, it's easy for Facebook to detect this, so when FB decides that the page is related to some like/share anomalies, they could have gone one step further and scan the target page and simply block it - like it happens when users report URLs to Facebook. I don't get why are they stopping halfway.

  2. Will · 1303 days ago

    I was excited until I saw that this supposedly went into effect two weeks ago. These scams have seemed to only get worse, not better. Most of the ones I've seen have been in the last few weeks.

  3. Orphis · 1303 days ago

    Usually, when I see one of these, I report them as spam. I hope they use this heuristic too to identify the malicious websites and ban all the "likes" they've made.

  4. auditor · 1303 days ago

    Can someone direct me to the facebook admins as I have a serious discussion to bring up regarding a current trend whereby companies use face book as a means to market their products and organize contest on it. It usually requires contestants to get the Most Like / Votes to win and this has caused many people to create multiple fake book accounts to vote for themselves. This has gone really bad. Not only it robs genuine participants of a chance to win, but also create a false sense of fans to the prganizers' page. Many of them really thinks that they have increased their fan base by ten fold with such contest but in actual fact they are just being scammed by these cheaters.

    And can someone tell me are companies allowed to use FB to hold contest and use the LIKE feature as a tool to decide the winners? I understand somewhere it has been mentioned it is against the very T&C set forth by Face Book.

  5. snafu · 1303 days ago

    @auditor that used to be the case, but they recently relaxed the rules on promotions

  6. Phil · 1303 days ago

    Much better to protect yourself than rely on Facebook.

    I've been "saved" from this by ClearClick in NoScript.

  7. I dont get why it should be possible to have iframes with opacity:0 or iframes with a with of 1. I cannot think about one valid purpose to use that "feature". Why dont they just remove the opacity tag or the width-tag from the iframe?

  8. Katri · 1290 days ago

    Thank you for this information. Unfortunately this new tool detecting "anomalous like patterns" has also resulted in jamming groups and pages where "liking" is a way of communication. A group page of ours was totally jammed and halted. Now when our newly founded fan page has been operating for only three days, the same is happening there. It is very hard to learn not to click the like button. But we'll try if it helps. Best regards from Finland

  9. JJJ · 1270 days ago

    I noticed that when browsing the internet, it is best to have signed out of your Facebook account. this way, if you accidentally click something (or it is clicked for you) facebook will ask you to sign in. Of course the user will have to have a sense to open a new window, and do a sign in on their own... but it helps!

  10. JHH · 1220 days ago

    This might sound silly... but is it possible that these scammers have victims login information? or no?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.