This week I've been talking about Facebook clickjacking worms that spread by hijacking Facebook "likes", using a variety of different topics to get people to click. Today I thought I'd mention another technique being plotted by similar groups of people.
While searching for more information about the likejacking script, I saw it was being referenced by a few other pages. One of them was a post from a freelance jobs website (click the image to enlarge):
The "example of a code that automatically Likes a page when user clicks anywhere on this site" is the likejacking script we're seeing being used by the current worms. But this developer wants to do more than just have you "like" a page automatically - presumably they find that method too passive, since it only really spreads to your friends if they happen to see the story on their newsfeeds. Instead, this person want a specific invitation to be sent out to a user's friends when they visit their site.
In case you find his description a bit too wordy, the author even provided a nice little 1-2-3 guide to what he wants to happen, complete with visual aids:
STEP 1: User comes to my website and this script starts automatically the inviting process by selecting 8 friends from user's friend list and after that clicks automatically on "Send <SITE REDACTED> Invitation"
Having clicked on a site, the intention is that your Facebook session immediately starts the process of sending invites to your friends, without your interaction.
STEP 2: When step 1 is completed then a pop-up window will open up and script has to automatically click on "Send"
Sending an invitation usually involves you having to manually click the send button - this author again wants to remove that level of interaction.
STEP 3: Now when step 2 is completed comes last window where script has to automatically click on "Skip" and redirect user to any URL (i should be able to change this url later). That's all there needs to be done!
And again, after the invitation has been sent there's a stage asking the user to send this site to people not on Facebook - this also needs to be skipped with user interaction.
Given that there were 3 bids for this project, I'd expect to see this technique fairly shortly. In the short term, however, we're more likely to see a continued focus on likejacking; it's a proven technique, it's easy to implement, and we've already seen a lot of (unwanted) interest in it since it was first introduced.
Don't forget, if you're browsing with Firefox then the NoScript plugin helps protect against clickjacking, and may also help against this auto-invitation technique - you might want to join the Sophos page on Facebook so we can keep you updated if and when we see it being used. And, of course, think before you click!