New teacher from behind Facebook likejacking attack leads to survey scam

Teacher from behind video thumbnailThis broken record continues to play. Yes, Facebook likejacking scams continue to plague Facebook users’ walls. This one spreads to walls saying:

“New teacher from behind”

“(BADURL) When our new teacher terns towards a blackboard students are go haywire. VIDEO: New Teacher from behind”

Teacher from behind wall post

Unlike some of these likejacking scams, this one is using many different URL shorteners, including,, and even direct URLs to domains registered in .info and .ro top-level domains. At the time of this writing, over 6,000 people have fallen victim to the scam and the numbers continue to climb.

Teacher from behind clickjack

In a trend we are seeing more often in web-based attacks, this attack only requires that you are using a modern browser and are logged into a Facebook account. It works regardless of the operating system your device uses, including Windows, OS X, Linux, iOS, Android and more.

The best defense against clickjacking attacks is to use the Firefox browser with the NoScript add-on.

Otherwise, to avoid these types of attacks, the only remedy (which isn’t exactly practical) is to be sure you are not logged in to Facebook when clicking unknown URLs. If you are not logged into Facebook, you are presented with a pop-up window asking you to login, which is an indication that it is an attempt to likejack your account.

Personally, I use one browser just for Facebook and a different browser for all of my normal internet activities. If I choose to follow a URL from a Facebook wall, I use my non-Facebook browser so I can be alerted to the attack, as well as having protection from NoScript on my side.

For more best practices on Facebook security, visit the Sophos Security Hub where we have our guide to Facebook security. To stay up to date with all the latest security news you can follow Sophos on Facebook.