Updated Many Facebook users are being hit by further clickjacking attacks today, taking advantage of the social network’s “Like” facility.
The latest lure is a link which claims to point to a website containing a naked photo of Hayley Williams, the lead singer of the American rock band Paramore.
Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link:
Paramore n-a-k-ed photo leaked!
The fact that 21-year-old Hayley Williams has recently been the subject of much internet interest after a topless photo of her was leaked online, is only likely to fuel interest in the naked pictures promised by these links. But take care, because all may not be what it seems.
Clicking on the links takes Facebook users to a third-party website which displays a message saying:
Click here to continue if you are 18 years of age or above
What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you’re also secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally.
Attacks like this can spread very very fast. Judging by the number of messages I’ve seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first into the “likejacking” trap.
This use of a clickjacking exploit to publish the same message (via an invisible iFrame) to the visiting user’s own Facebook page works in a similar fashion to the clickjacking attacks we saw earlier this week.
It’s clear that Facebook needs to tighten up the way it handles the ‘liking’ of external webpages before it is even more widely abused by malicious hackers and spammers.
If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your “Likes and interests” section.
If you’re a regular user of Facebook, you should join the Sophos page on Facebook to be kept informed of the latest security threats.
And, please, if you have Facebook friends or acquaintances who have fallen foul of this attack please warn them about it, and suggest that they click a little more carefully in future.
Update Interestingly, the same third-party website hosting the “Paramore naked photo” clickjacking attack is also carrying another webpage containing a clickjacking attack related to teen heart-throb singing sensation Justin Bieber.
If you click on a Facebook “like” link declaring
Justin Biebers Phone Number Leaked!
then you may find yourself taken to a webpage which says “Click here to continue”.
If you do click then you will have your mouse-press hijacked (declaring to all of your Facebook friends that you “Like” “Justin Bieber’s Phone Number Leaked!”) and you will be presented with what is claimed to be Justin Bieber’s phone number and address in Florida.
I have no way of telling if the phone number and address are genuine, and I don’t think it’s appropriate to share them regardless, so I’ve pixelated them out in the screenshot above.
Of course, it’s not the first time we’ve seen Justin Bieber’s popularity exploited by cybercriminals.
Hat-tip: Thanks to @theharmonyguy for informing me about the Justin Bieber-related clickjacking.