Approximately two weeks ago, Facebook deployed a new security countermeasure to attempt to alert users to the scam tactic known as "likejacking."
Likejacking is a technique in which a spammer creates a website that portrays a fake YouTube-like video player, or other visual lure, and convinces you to click on a button to perform some seemingly normal action, like viewing the video.
What really happens is that you are clicking a Facebook "Like" button that has been hidden underneath the images using a method of coding a webpage called UI redressing.
In the past year, many attacks against Facebook have exploited this technique. Part of the issue with clickjacking/likejacking/UI redressing is that it is technically allowed in the HTML specification.
We have been urging Facebook to require a popup when users click "Like" that warns them that they are choosing to Like something, to ensure they are aware that their click may have been hijacked.
Facebook has responded by implementing a new system that is designed to detect anomalous "Like" patterns and require an additional confirmation for pages that trigger this mechanism. While precise details of how this system detects malicious "Likes" are not available, I have seen it in action and it follows many of the suggestions we have made.
A page that triggers this behavior will display a normal Like button at first. When you click the button (either intentionally, or accidentally in the case of clickjacking) the button changes to Confirm rather than instantly Liking the page.
If you click the button again, it triggers a popup message explaining that you are trying to like the page. This popup is in a separate window, which is important. By making it a popup, they escape the control of the attacker and the page can no longer be modified by the malicious website.
The technical approach to solving this problem is valid, but Facebook's detection algorithm only seems to work in rare instances. Since the deployment of this technology, I have only seen it trigger in a few likejacking attacks.
Trying to anticipate scams from user behavior is difficult, if not impossible, and large numbers of users would have already fallen prey to the scams before the algorithm that was designed to protect them triggered.
Rather than allowing undetected fraudsters to continue to fly under the radar, the ideal solution would be to provide the verification popup whenever a user wishes to Like a page.
An additional problem is that the warning message displayed does not adequately alert a user that they may be falling for a scam. Many of these scams inform the user they must Like the page to see the salacious content.
Simply confirming that the user wishes to Like the page does not give them any good reason not to. Why not tell users that Facebook suspects this page may be malicious?
It's encouraging that Facebook is working on this problem, but their solution doesn't go far enough.
If Facebook uses some heuristics to detect likejacking scams, why don't they block the sites in a first place instead of making it harder to like the page? Detecting likejacking scams is trivial and requries little human intervention, if any.
All the clickjacking websites I've analyzed in the past are pretty basic and follow the same pattern, it's easy for Facebook to detect this, so when FB decides that the page is related to some like/share anomalies, they could have gone one step further and scan the target page and simply block it - like it happens when users report URLs to Facebook. I don't get why are they stopping halfway.
I was excited until I saw that this supposedly went into effect two weeks ago. These scams have seemed to only get worse, not better. Most of the ones I've seen have been in the last few weeks.
Usually, when I see one of these, I report them as spam. I hope they use this heuristic too to identify the malicious websites and ban all the "likes" they've made.
Can someone direct me to the facebook admins as I have a serious discussion to bring up regarding a current trend whereby companies use face book as a means to market their products and organize contest on it. It usually requires contestants to get the Most Like / Votes to win and this has caused many people to create multiple fake book accounts to vote for themselves. This has gone really bad. Not only it robs genuine participants of a chance to win, but also create a false sense of fans to the prganizers' page. Many of them really thinks that they have increased their fan base by ten fold with such contest but in actual fact they are just being scammed by these cheaters.
And can someone tell me are companies allowed to use FB to hold contest and use the LIKE feature as a tool to decide the winners? I understand somewhere it has been mentioned it is against the very T&C set forth by Face Book.
@auditor that used to be the case, but they recently relaxed the rules on promotions
Much better to protect yourself than rely on Facebook.
I've been "saved" from this by ClearClick in NoScript.
I dont get why it should be possible to have iframes with opacity:0 or iframes with a with of 1. I cannot think about one valid purpose to use that "feature". Why dont they just remove the opacity tag or the width-tag from the iframe?
Thank you for this information. Unfortunately this new tool detecting "anomalous like patterns" has also resulted in jamming groups and pages where "liking" is a way of communication. A group page of ours was totally jammed and halted. Now when our newly founded fan page has been operating for only three days, the same is happening there. It is very hard to learn not to click the like button. But we'll try if it helps. Best regards from Finland
I noticed that when browsing the internet, it is best to have signed out of your Facebook account. this way, if you accidentally click something (or it is clicked for you) facebook will ask you to sign in. Of course the user will have to have a sense to open a new window, and do a sign in on their own... but it helps!
This might sound silly... but is it possible that these scammers have victims login information? or no?