Messages are spreading rapidly across Facebook, as users get tricked into clicking on links claiming to show an amazing video of a big baby being born.
The messages are spreading with the assistance of a clickjacking scam (sometimes known as likejacking) which means that users do not realise that they are invisibly pressing a "Like" button to pass the message onto their online friends.
A typical message looks as follows:
Baby Born Amazing Effect - WebCamera
[LINK]
Big Baby Born !
(Note: I have obscured the thumbnail used in the messages, as some may find it offensive because of its err.. anatomical nature.)
The links we have seen so far all point to pages hosted on blogspot.com, and appear to contain a video player that you are urged to click on.
The pages are headlined: "Baby Born Video - Amazing Effects".
See the message at the bottom of the page? It reads:
If Play Button don't work please click on the Like button and Confirm, then you can watch the Video.
It's at this point that the clickjacking scam plays its part. If you try to play the video then you will be secretly and unwittingly saying that you "Like" the link, and sharing it with your friends. In this way the link spreads virally.
As regular readers of Sophos's Facebook page will know, scams like this have been seen on far too many occasions. It's a crying shame that Facebook's own security measures don't warn about this particular clickjacking attack.
If you were running anti-clickjacking protection, such as the NoScript add-on for Firefox, then you would see a warning message about the attempted clickjacking:
Unfortunately, thousands of Facebook users appear to have fallen for the scam - and are helping the links spread rapidly across the social network.
Here's how you can clean-up your Facebook page.
Find the offending message on your Facebook page, and select "Remove post and unlike".
Unfortunately that doesn't completely remove the interloping link. You also need to go into your profile, choose Activities and Interests and remove any pages that you don't want to "Like".
If only folks were more careful about the links they clicked on when using Facebook.
If you're on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 90,000 people.
Follow @gcluley
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
This scam appeared in my news feed a coulpe of days ago ... I posted an article about it on my blog (in portuguese) and posted the video itself which I captured. I'ts amazing how people are still falling for this type of trick, which became the most used one on Facebook.
People who fell for this trap are "auto-liking" other pages : f.e. I Love Music, I Love Money.
I cannot quite decide if this clickjacking is clever or just inept.
The blogspot page appears to be broken from the Finnish localization of blogspot. Does this link to CPA surveys at any point? I cannot find anything from the Page Source.
The links posted to Facebook appear random/polymorphic in nature, and they then all resolve to the babybronvideo.blogspot.com, but it's being done manually, using an HTML META REFRESH tag... and the author actually uses a BLINK tag to make it look as if it's JavaScript!
And the babybronvideo blogspot page... the source pulls from an IP address:
hxxp://174.132.183.34/~charly/
That IP address is registered to ThePlanet.com Internet Services, Inc. in Houston, Texas. This appears to be the result of some kid hacking around, attempting to setup his own kit.
Very bizarre implementation.
I stand corrected. The IP address: 174.132.183.34 redirects to a Facebook application called Likes5.
The developer of Likes5 is Dragi Charly Bogdanovski from Skopje, Macedonia: http://www.facebook.com/dragi.bogdanovski
He's not a kid.
The hxxp://174.132.183.34/~charly/ folder referenced in the blogspot page would seem to indicate that Charly is behind this.
His Likes5 application has 193,035 active users.
What is this guy up to?
Probably going to sell his 'liking' software to people eager to jump on the social network marketing bandwagon.
I fell for it, yes.
Thanks for the information. I've already removed the post on my wall, but I did not unlike.
Now I'll go to remove it from my profile's interests list.
I will also download NoScript add on.
Your article is very helpful and informative. Thanks again.
how is this a f***ing scam? this is not a scam if you get the the results.. the result is a video you get to see after you click like and it even tells you to "like" it. if this was clickjack you wouldnt even know it clicked "like"
might stop visiting sophos blog if this is all they post about.
disappointed.
It uses a clickjacking technique to trick users into Liking it. That's a scam in my book.
I suspected this was a virus when I saw it on a friend's wall. Before calling to warn her, I googled the name to check for virus warnings. That's it. Never watched the video. Never clicked on the like or to play on Facebook. I called and warned my friend who immediately removed it from her page and thanked me. About 10 minutes later, another friend called ME to warn ME that it was on MY page! I'm not tech savvy, but that surprised me. :(
So does it even show a video of a baby being born?
I haven't fallen for this video! :)
I'm not medically-qualified, so I don't think it's possible for me to confirm with any accuracy.
Why take the risk? Plenty of legitimate videos out there if you really want to see a baby being born. Me? I'd rather watch Watercolour Challenge.
It is a mirror trick of a guy's shoulder and head where it looks like he is emerging from a body. No baby.
Sure. But be sure to remove it from your Facebook profile and list of "Like"d pages too.
Is guest an associate of the Baby Born Video scam ?? I rarely fall for these traps, but I got the link from a female freind who does like babies and showed she liked it, so I wouldn't have concieved the possibilty it would be anything else than a link from her.
When it asked where I want a flat screen TV sent to and win iPad etc, asking for details including postcode and phone number I knew it was a dodgy link. The Win the iPad/TV box has no X and no skip, so unless you give all your details to someone you have no clue who there are, you can't watch the video (if it actually exists).
Anything that asks you to give your personal information out before you can confirm if the link/service/product is legitimate is a scam in my book.
"(Note: I have obscured the thumbnail used in the messages, as some may find it offensive because of its err.. anatomical nature.)"
Negative, it does not. It's a mirror-image of an armpit or something, but it is NOT what it appears to be at first glance.
Yep it's a mirror image thingy. I does *kinda* look like female parts though. I stress KINDA>>>LOL
I fell for this scam but I can't seem to find a way remove it from my wall as it won't show up there. Did I fall for it or magically remove it?
I knew the "Baby Born Video - Amazing Effects" was a phishing scam so I researched it and I was right!
Why do people fall for this stuff, I swear I have seen this video appear on my FB feed more than 20x!
Thank you for your informative comments. After clicking on something similar a few months ago, I then discovered that this was some sort of scam. I have tried my best to keep my FB page secure and these dumb phishing videos, in my opinion, are just a way for who ever to get around those of us who tightened up our privacy.
Well I fell for it to a point, I didn't see a video. I also didn't fill out the personal information forum. If some did then they now know your Name address and phone number plus email address.
YA I was a brainless dupe too... I clicked for the vid. didn't see one but filled nothing out and closed. I went looking for it in my Facebook and can find any trace of it, not even the original post on my news feed. Question... Is it really gone?????
I thought that and then about 15 minutes later it appeared. It seemed slightly delayed for me.
If you click "mark as spam" will the person who posted it get in trouble or get their facebook account disabled?
I'd hope not - as they are probably an innocent victim of the fraud themselves.
But the precise inner machinations of Facebook's security processes are probably known only to them.
Do these like jacking scams do any harm to the user's computer or any friends who have clicked on it?
I only did report as spam. That seems to also have removed it and also unliked it. Nothing was on the profile page and list of liked pages afterwards
I posted this page onto my Facebook account and my brother-in-law commented "What's the point?", but then managed to like it himself a few days later. My next post chastised him for not reading my posts! His reply was that he was at work all day and hadn't accessed his account when the 'like' button was clicked! So, what is going on with this... at a guess, I'd say it is a scam, and there's probably a lot more to it than meets the eye.
Is there a "no script" add on for Chrome?
There is a setting already in Chrome to turn Javascript off, no addon is needed.
when I tell my friends its a scam they say don't worry I used my iphone! but what about all there friends who may get lured in???
The scam has changed.
I noticed the post in a friend's newsfeed. I suspected that it was a scam but I figured before I told him so I better see where the link leads. The destination page looked like a typical scam page, but I didn't see any way of safely closing the page, so I closed the browser (FF4) without clicking on anything else.
Nevertheless, the scam page managed to insert its message into my newsfeed with any further action from me. I was both impressed and annoyed. Since this scam will work with any kind of subject, it means that until FB figure out how to prevent posts like that, it is no longer safe to click on any "liked" pages in FB.
Which people are falling for this?
These people need to go outside and play tennis or something of the sort; it's disappointing!