Facebook “likejacking” targets World Cup, BP, Shrek, UFC, …

We said we thought we were going to see a lot more Facebook “likejacking”, and sure enough that’s exactly what’s happened – there’s been an explosion of pages exploiting this technique to get users to “like” pages without them even realising.

In Graham’s initial post he listed the following topics:

  • LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.
  • This man takes a picture of himself EVERYDAY for 8 YEARS!!
  • The Prom Dress That Got This Girl Suspended From School.
  • This Girl Has An Interesting Way Of Eating A Banana, Check It Out!

Most of these took you through an intermediate “Click here to continue” page, which is where the actual clickjacking occurred – an invisible link follows your mouse and means that any click you make generates a “like” for that page, or any page of its choosing, in your Facebook profile. We detect these clickjacking pages as Troj/Iframe-ET.

My post looked at the origins of the code, and said I was expecting to see a *lot* more of this. Well, we have.

Graham posted a few hours ago about two new topics we saw, both celebrity related, both about embarrassing leaks:

  • Paramore n-a-k-ed photo leaked!
  • Justin Biebers Phone Number Leaked!

The Justin Bieber page had more boring “Click here to continue” conent, but the Paramore one tapped in to the adult situation and asked you to click to confirm your age:

Paramore Naked Photo Age Check

We’ve also seen other topical posts though:

  • WORLD CUP 2010 in HD

World Cup 2010 in HD

  • Top Secret Video you’ve NEVER seen

BP Secret Video

  • Shrek: Forever After

Shrek Forever After

  • Watch UFC 114 Online

Watch UFC Online

  • The Best Passport Application Rejection In History! LMAO

  • Download Guides and Cheats for Facebook Zynga & Playfish Games!

Facebook Cheatbot

In fact some of the meta-data isn’t set up correctly in a couple of the pages, so won’t display the liked pages quite as cleanly as shown here.

There’s undoubtedly more topics out there – we’ll keep you posted as we find them, and you can join the Sophos page on Facebook to get the latest info about these and other threats.

In the meantime, if you use Firefox you might want to install NoScript, since that helps protect against clickjacking (and did when we first talked about clickjacking a couple of years ago). And if you have clicked on one of these links, remove reference to it from your profile and your newsfeed to help passing it on to your friends (more details on how to do this in our previous blogs).