New Facebook Clickjacking Worm

Graham blogged about a Facebook clickjacking worm back in May which we dubbed Likejacking — for a number of weeks the threat ran rampant throughout Facebook. Since then, it has calmed down quite a bit and we don’t see much likejacking anymore. However, today we came across a new form of clickjacking where, instead of tricking the user into liking something, it tricks them into using the Facebook “Share” feature without requiring the user to acknowledge the fact that they’re sharing it.

Facebook Sharejacking

It starts off on a suspicious looking Facebook fan page where they offer the opportunity to see the “Top 10 Funny T-Shirt Fails ROFL.” Once the page is loaded, it loads the appropriate tab and grabs the malicious script from an external domain that silently forces the user automatically share the page on their profile.

Sharejacking Step 2

Users running the Firefox plugin NoScript who click on the Next button on step 2 will notice the following warning popup.

NoScript Sharejacking Warning

Had you not been running NoScript you’d notice, or more likely you wouldn’t notice, that your profile page would now have shared content linking users to a malicious domain. Clicking the link sends you to one of many fan pages all serving the exact same content. It seems a fan page is chosen at random.

Facebook Sharejacking Shared Content

If you happen to be one of the people who fell victim to this scam be sure to click the “Remove” option as seen in the image above to clear the content from your profile. This will help prevent friends of yours from being compromised and possibly falling victim to the scam.

Facebook Sharejacking Surveys

Finally, in the last step they ask you to fill in the actual survey that Graham blogged about for a different Facebook threat seen earlier in the week. The whole purpose of having them spread this threat virally is to get as many people as they can to fill in these surveys for monetary gain. Of course, you might find yourself doing more than just filling out a simple survey. When attempting one of the surveys myself, they requested my cell phone number. Before filling it in I decided to read the fine print, which reads as follows.

“The Awesome Test for asking questions and getting answers from our human-powered response team for unlimited answers. This is an auto renewing subscription service that will continue until canceled. To cancel the service at anytime Text STOP to short code. Available to users over 18 for $5/Week charged on your wireless account or deducted from your prepaid balance. Unlimited answers to questions. For support: text HELP or call 800-916-3070. Message and data rates may apply. Your phone must have text messaging capability. You must be the owner of this device or have permission from the owner. By signing up for this service and entering your personal PIN Code delivered to the cell phone number supplied by you on this website, you acknowledge that you are agreeing to the full Terms of Use. Click here for full Terms & Conditions. For Privacy Policy Click here.”

In other words, by providing your cell phone number you’re subscribing to a paid phone service that charges you $5 per week via your cell phone provider. Unfortunately most people won’t read the fine print and will willingly hand over the information and likely won’t notice the charges until the end of the month.

Sophos users will be happy to know that at the time of the blog we’re in the process of publishing detection of the Sharejacking threat as Troj/FBJack-A. In addition we block the domain in question hosting the malicious code.

If you’re on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

Update: Kudos to Facebook for responding almost immediately to my report about the threat by deleting all the associated fan pages.