I can't believe a GIRL did this because of Justin Bieber - Facebook's latest scam

Filed Under: Celebrities, Clickjacking, Facebook, Nude Celebrities, Social networks, Spam

Facebook has been hit very hard the last few weeks with a never ending onslaught of new scams trying to trick innocent Facebook users. The latest one spreads with the message "I can't believe a GIRL did this because of Justin Bieber" and links you to a YouTube look-a-like site called FouTube.

FouTube screenshot

Fortunately Sophos customers are protected from being likejacked when using our browser helper object in Internet Explorer. The hidden iFrame is detected as Troj/Iframe-ET. This style of attack is quite old and resembles some of the first likejacking attacks we started seeing earlier this year.

Most Facebook attacks I have looked at recently were rogue Facebook Applications rather than simply liking a web page. This one is quite poorly crafted, yet it is still spreading quite quickly amongst Facebook users who can't seem to get enough Justin Bieber.

Offer to buy Facebook Fan pagesOne interesting thing while came up though, the person behind this attack displays an offer to purchase Facebook Groups/Fan pages, apparently to help further spread their malicious scams.

Like most scams this one does not appear to be spreading malware, rather just displaying survey scams and other tricks to get you to subscribe to premium rate SMS services on your mobile phone.

It's unfortunate that almost eight months after likejacking started becoming common that Facebook has chosen to keep the simplicity of the "Like" feature and not implement a confirmation option that would alert a user who is logged into Facebook that they are endorsing another scam.

If you have accidentally "Liked" this web page you can remove it by visiting your Facebook Wall and choosing to remove your like. As a precaution against likejacking you may wish to logout from Facebook when you are not actively using it. These attacks do not work if you are not currently logged into Facebook.

If you're a Facebook user and want to keep up on the latest threats and security news why don't you join the Sophos Facebook page?

, , , , ,

You might like

20 Responses to I can't believe a GIRL did this because of Justin Bieber - Facebook's latest scam

  1. David B · 1768 days ago

    I've been saying for a while, those Like aggregation pages (and ones that look like them) are a potential breeding ground for malware.

    Maybe it will take someone to, instead of focusing on Justing Bieber, to post something like "The TSA has finally gone too far" or "Click here to oppose Comcast's takeover of the Internet", before FB finally does something. In other words, when the attacks start targeting the people who work at Facebook, and catch FB employees, maybe they'll do something.

  2. sebastian · 1767 days ago

    I choose remove my like on my wall but it still shows up under my profil. Any other chance to remove this stupid 'like'?

    • wrappedtunafish · 1678 days ago

      under the group at the bottom of the page on the left it says unlike.

    • ccn · 1672 days ago

      hit the little x next to the post and select report as spam..

  3. Great text - finally someone who is informing the (non-professional) people! Facebook should think about a validation for their like buttons so that people won't be able to generate their own links...

  4. Trini · 1767 days ago


    If you go to your page, under your name is a link for Edit My Profile
    Left hand navigation> Likes and Interests
    The first page is your tags by section. Each section has a “See More” and more tags appear that are associated with the interests that you chose for yourself. Find the tags, click on it to turn it blue, then hit delete.

  5. sebastian · 1767 days ago

    thank you very much trini!!

  6. Richard · 1766 days ago

    "Facebook's latest scam"

    Poor choice of words. That sounds like it's a scam run by Facebook, rather than a scam targeting FB users.

  7. I removed the like, but it is still written that I shared a link (what I definitely didn't). But i is not viewable in my own Linklist, so I can not remove it.
    Any ideas?

  8. frank · 1764 days ago

    hi, i didn´t really get it, my englisch is really bad :(

    so i clicked on this side, and had it under my "I like" sites, where i erased it.

    the text says it doesnt spread any malware, so i dont have any trojans and viruses right?
    but later this text here says the site is displaying survey scams, what does that mean?
    I went on this you-tube-lookalike site and could do nothing there (the video didnt play) so i closed the window.
    so can i expect now that nothing happened to me?, or how do i know that
    i tricks me to subscribe something, as i said i could do nothing on this site.
    i also dont really know what a survey scam is.

    hope somebody can help me
    and excuse my bad english

    • Chester Wisniewski · 1764 days ago

      You should be fine. For surfers in the US, Canada, and United Kingdom the fake video page would lead them to a site pretending to be a survey or quiz. To win the prize you were promised for completing it you needed to enter your mobile phone number which would allow them to subscribe you to a service that charges you money every week.

      • frank · 1764 days ago

        you helped me a lot

        • Fritz · 1753 days ago

          yes thank you very much!!!!!

          I tried to watch the video too and a quiz appeared in the box. I didn't answered anything. i just tried to close the tab. then a popup appeared and told me not to leave. So I closed the whole browser with the taskmanager. lol

          Thank you for the very good informationservice.

          I was realy afraid. but you calmed me down. (Sry for my bad english too)

          vielen Dank ;)

  9. laura · 1760 days ago

    I didn't even click on the link or video and it has come up on my facebook feed. Any way I can get it off my feed as I don't want other people having this problem?

  10. pedro10 · 1759 days ago

    Facebook users beware...!!!

  11. fhz · 1753 days ago

    this just happened to me, and i came to this page to figure out what to do.

    i wasn't able to remove it when i tried deleting it on my news feed. i had to go to my profile page in order to delete it on My Wall.

    But it stayed in my Likes Box on the left hand side.

    You can remove it if you go to edit your profile, find the likes and interests section, and click on Show other pages at the bottom of the likes and interests settings page.

    You can remove it from there.


  12. PBO · 1680 days ago

    I just found something similar to this posted on someone's Newsfeed. After I clicked on the image, I was redirected to this link and I immediately closed it because the URL looked fishy. After Googling it and coming across your story here, I decided to reopen the link and to make sure that it was the same scam. I had already been to the site once - I knew going back couldn't do any additional harm. I simply clicked on the link to take me to the webpage - I didn't attempt to click on the video or do anything further. I also didn't Like it. Do I have anything to worry about if that is all that I did? Nothing appeared on my wall or in my Newsfeed. From what it sounds like, the scam only happens if you fill out the survey but I wanted to be certain.

    Any info that you can give is greatly appreciated.

  13. Bonnie · 1680 days ago

    I deleted it from my likes so I should be ok now right? What confuses me is that I never got that quiz thing? Am I still scammed?

  14. Marty · 1679 days ago

    If you haven´t given away your mobile phone number can they still scam you?

  15. Marika · 1678 days ago

    Many thanks Sophos. I wasn't paying attention and clicked onto this link that was sent by a FB friend. Fortunately my anti-virus is up to date and a red flag came up and didn't let me open it. Keep up the good work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.