Facebook Worm – “Likejacking”

Image (2) facebook-clickjacking1.jpg for post 25516

Graham posted earlier about a new Facebook clickjacking worm, and as someone who saw this spreading like wildfire among members of my own contact list I thought I’d dig into it a little.

The technique is exactly as Graham describes – when you “Click here to continue” you’re in fact clicking an invisible link (detected as Troj/Iframe-ET) which marks the website as one that you “like” in Facebook. This of course posts a message to your newsfeed, your friends see it and click on it, and so it spreads.

The code used here to hijack your likes, or “likejack”, looks like it is fairly generic, probably not even written by the person who sent it spreading around Facebook. In fact the same code appeared a couple of weeks ago on a general code site, with the comment:

First, if you want to see this in action just so you know it’s not BS, make sure you haven’t signed out of Facebook, go to the site below, and just click anywhere on the page (this is one of my sites, don’t worry):

Let’s have a look at the site used in this proof-of-concept (click on the image to enlarge):

Facebook Clickjacking 1

Can you guess what dastardly social engineering technique the author was talking about when he said “I put page content here to demonstrate that this should now work even with content on your page”?

Facebook Clickjacking 2

Why mess with success? This is a tried and tested way to get people to click … though I’ve cropped out the main image, and just left the helpful text description. Sorry, it’s not that kind of blog.

Of course the current worm uses other lures to get people to click, such as “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE”.

Facebook Clickjacking 3

So how did they get this title to appear in the newsfeed with such click-enticing phrases? The answer lies in tags included in the page that you “like”, as described by Facebook themselves in their developers “how-to” section:

Facebook Clickjacking 4

Reading this documentation makes it clear quite how obvious a target all this is to those with a nefarious bent, and I’d expect to see a *lot* more of this in the future.

If you clicked one of these dodgy Facebook links, you need to do the following two things:

1) Remove the page from your “Likes and interests” section.

  • Click “Edit My Profile”, then “show other pages”, and then “Remove Page” … or
  • Click “Account” in the top right corner, then “Edit friends”, select the “Pages” list, and click the X next to the page

2) Delete the page from your newsfeed – it will probably be in the “Recent Activity” section, but you may need to scroll down a bit to find it.

If you’re regular user of Facebook, you should join the Sophos page on Facebook to be kept informed of the latest security threats.

Later this week I’ll talk about what other dastardly deed-doers are planning for Facebook.