Facebook Worm - "Likejacking"

Filed Under: Clickjacking, Facebook, Malware, Social networks, SophosLabs

Graham posted earlier about a new Facebook clickjacking worm, and as someone who saw this spreading like wildfire among members of my own contact list I thought I'd dig into it a little.

The technique is exactly as Graham describes - when you "Click here to continue" you're in fact clicking an invisible link (detected as Troj/Iframe-ET) which marks the website as one that you "like" in Facebook. This of course posts a message to your newsfeed, your friends see it and click on it, and so it spreads.

The code used here to hijack your likes, or "likejack", looks like it is fairly generic, probably not even written by the person who sent it spreading around Facebook. In fact the same code appeared a couple of weeks ago on a general code site, with the comment:

First, if you want to see this in action just so you know it's not BS, make sure you haven't signed out of Facebook, go to the site below, and just click anywhere on the page (this is one of my sites, don't worry):

Let's have a look at the site used in this proof-of-concept (click on the image to enlarge):

Facebook Clickjacking 1

Can you guess what dastardly social engineering technique the author was talking about when he said "I put page content here to demonstrate that this should now work even with content on your page"?

Facebook Clickjacking 2

Why mess with success? This is a tried and tested way to get people to click ... though I've cropped out the main image, and just left the helpful text description. Sorry, it's not that kind of blog.

Of course the current worm uses other lures to get people to click, such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE".

Facebook Clickjacking 3

So how did they get this title to appear in the newsfeed with such click-enticing phrases? The answer lies in tags included in the page that you "like", as described by Facebook themselves in their developers "how-to" section:

Facebook Clickjacking 4

Reading this documentation makes it clear quite how obvious a target all this is to those with a nefarious bent, and I'd expect to see a *lot* more of this in the future.

If you clicked one of these dodgy Facebook links, you need to do the following two things:

1) Remove the page from your "Likes and interests" section.

  • Click "Edit My Profile", then "show other pages", and then "Remove Page" ... or
  • Click "Account" in the top right corner, then "Edit friends", select the "Pages" list, and click the X next to the page

2) Delete the page from your newsfeed - it will probably be in the "Recent Activity" section, but you may need to scroll down a bit to find it.

If you're regular user of Facebook, you should join the Sophos page on Facebook to be kept informed of the latest security threats.

Later this week I'll talk about what other dastardly deed-doers are planning for Facebook.

, , , , ,

You might like

2 Responses to Facebook Worm - "Likejacking"

  1. Albert Keizer · 1716 days ago

    Unliking your like which like-jacked you became easy: just try to delete the 'Your Name likes 'like-jack-message' in your Recent Activity, described as step 2 above.
    A menu will pop-up which gives you the opportunity to directly remove the message and unlike the page.

  2. Dead Mariner · 1450 days ago

    So this is how BP is getting so many likes on their FB page recently....

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s