Graham blogged about a Facebook clickjacking worm back in May which we dubbed Likejacking -- for a number of weeks the threat ran rampant throughout Facebook. Since then, it has calmed down quite a bit and we don't see much likejacking anymore. However, today we came across a new form of clickjacking where, instead of tricking the user into liking something, it tricks them into using the Facebook "Share" feature without requiring the user to acknowledge the fact that they're sharing it.
It starts off on a suspicious looking Facebook fan page where they offer the opportunity to see the "Top 10 Funny T-Shirt Fails ROFL." Once the page is loaded, it loads the appropriate tab and grabs the malicious script from an external domain that silently forces the user automatically share the page on their profile.
Users running the Firefox plugin NoScript who click on the Next button on step 2 will notice the following warning popup.
Had you not been running NoScript you'd notice, or more likely you wouldn't notice, that your profile page would now have shared content linking users to a malicious domain. Clicking the link sends you to one of many fan pages all serving the exact same content. It seems a fan page is chosen at random.
If you happen to be one of the people who fell victim to this scam be sure to click the "Remove" option as seen in the image above to clear the content from your profile. This will help prevent friends of yours from being compromised and possibly falling victim to the scam.
Finally, in the last step they ask you to fill in the actual survey that Graham blogged about for a different Facebook threat seen earlier in the week. The whole purpose of having them spread this threat virally is to get as many people as they can to fill in these surveys for monetary gain. Of course, you might find yourself doing more than just filling out a simple survey. When attempting one of the surveys myself, they requested my cell phone number. Before filling it in I decided to read the fine print, which reads as follows.
In other words, by providing your cell phone number you're subscribing to a paid phone service that charges you $5 per week via your cell phone provider. Unfortunately most people won't read the fine print and will willingly hand over the information and likely won't notice the charges until the end of the month.
Sophos users will be happy to know that at the time of the blog we're in the process of publishing detection of the Sharejacking threat as Troj/FBJack-A. In addition we block the domain in question hosting the malicious code.
If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.
Update: Kudos to Facebook for responding almost immediately to my report about the threat by deleting all the associated fan pages.