This week I’ve seen three friends “like” something on Facebook which I doubt they actually like. Security folks such as Graham Cluley at Sophos call this “click-jacking” or “like-jacking.” It’s been around for a while, but some new attacks are making the rounds lately. How it works:
- The targeted user receives an email which includes a link, or sees an appealing link in someone else’s Facebook feed. Garden variety social engineering. I saw “webcam shocker” (read: porn), “Disney secrets,” and “Read this and you’ll never text again!” as click-bait.
- The target clicks the link to open the web page which contains the nasty bits. Here’s a screenshot of the “webcam” click-jacking page. The target then clicks again, following the directions to get the bait, and the evil deed is done.
Some of these click-jacking pages imitate the appearance of Facebook: its blue and white color scheme, headers and footers, and/or fake versions of widgets Facebook allows legitimate sites to use for off-Facebook “liking.” Smartphone users are probably more susceptible to this visual deception, since they work with smaller screens and/or reduced-size pages. You don’t have to look too hard at the “Caught on webcam” example to see it’s rough around the edges: there’s no Facebook logo, and the fake Facebook widgets and links don’t actually work. However, when small, that familiar blue color may look Facebooky enough to earn that second click.
- Facebook-like headers and footers, as noted above.
- The source code is obfuscated, starting with a comment which contains the alert noted above, followed by a hundred or so spaces. All the code is on one line. So at first glance, “View source” reveals only an HTML comment.
- The malicious code is in a separate page integrated with an iframe.
Worst of all: the second click may not appear to do anything, so those who fall prey to these scams may not even know it.
What to do? Think before you click. Nothing new about that. At least the payload is pretty benign, for now. Hopefully someone won’t figure out how to do this with one click (and/or Facebook will tighten “like” up to make that impossible). One-click like-jacking combined with a nastier payload (a Trojan horse) would be a much more serious problem.