Clickjackers Find a Lot to 'Like' About Facebook
Facebook is fighting off a new wave of clickjacking attacks, but its defensive tactics could merely lead to a prolonged cat-and-mouse game. Users clicking on certain links posted on the network aren't actually taken to the promised page -- instead, they're unwittingly made to "like" the the link itself, thus encouraging others to click. The tactic could potentially open the door to dangerous malware.
06/03/10 1:35 PM PT
Facebook is responding to yet another "clickjacking" attack, following similar attacks that reportedly impacted thousands over the weekend.
This particular form of clickjacking baits the hook by purporting to link to a subject Facebook users might find interesting. The latest attack consists of a link that appears to point to a website displaying a naked photo of Hayley Williams, lead singer of American rock band Paramore. Others including supposed links to singer Justin Beiber's phone number and a video of a man who took a picture of himself every day for eight years.
Clicking on the link will force the user's profile to indicate he or she "likes" the page, and that gets published on the victim's own profile and shared with friends. Those users then see that their mutual friend apparently gave the link a stamp of approval and may be more likely to click on it themselves.
Putting Out Fires
Facebook says the clickjacking attacks have impacted relatively few people.
"Overall, an extremely small percentage of users was affected," Facebook spokesperson Simon Axten told TechNewsWorld. By its own count, Facebook has well over 400 million active users.
The social networking giant has blocked the URL associated with the clickjacking site, Axten said, and "we're cleaning up the relatively few cases where it was posted."
While Facebook has the power to block any URL posted to its system, the clickjackers could counter that move simply by changing the URL they're using, Sean-Paul Correll, a threat researcher at Panda Security, told TechNewsWorld.
Like Is a Four-Letter Word
The clickjacking attacks happening over the past week exploit Facebook's "like" feature, which lets a user indicate approval of what the user's friends are sharing on Facebook.
Facebook members see links to subjects that their friends appear to have "liked" when they log onto their Facebook page, Sophos security consultant Graham Cluley said.
Clicking on the link takes the Facebook to a page that often contains a button asking them to click it to confirm they're over 18 years old. This isn't uncommon for sites that carry salacious material, such as the supposed Williams photos.
When users click on that button, however, it adds a link to the users' Facebook profiles saying they "like" the site. Facebook then publishes the "like" to the users' friends, spreading the worm.
So where's the threat? So far, the clickjackers haven't apparently done anything more than force users to unwittingly endorse their websites, but they could easily launch password-stealing Trojans or other malware.
The clickjackers create an "iFrame," which they layer invisibly over the Facebook site.
An iFrame is an inline frame that places one HTML document in the frame of another.
Frames let developers split an HTML browser window into segments, each of which can show a different document. This reduces bandwidth use because repeating parts of a layout can be used in one frame while variable content, such as a Flash presentation, can be shown in another.
Inline frames, or iFrames, can be the target frame for links defined by other elements, and that's how the clickjackers used this technology.
Microsoft introduced iFrames in 1997, in Internet Explorer.
Been There, Clickjacked That
This round of is at least the fourth wave of clickjacking attacks to hit Facebook since November of 2009.
In May, some users were clickjacked with messages like "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" according to Graham Cluley's blog for that date.
Before that, a Facebook clickjacking attack in November of 2009 displayed a photograph of a scantily clad woman on a user's profile pages with a message inviting viewers to click a button to "see something hot." Clicking on the button automatically updated the viewer's profile page to include the image with the message.
Facebook blocked the URL associated with the site of that attack and began cleaning up the mess.
Twitter has also reported incidents of clickjacking, which the site eventually blocked.
Coping With Clickjacks
Clickjacks succeed because people tend to trust information given to them on social networking sites, especially if it appears to have won the approval of several friends.
"People have an inherent trust of information that appears to be from their friends or family," said Panda Security's Correll. "When a post comes out that says 'check out this photo' or 'check out this post,' and it appears to be from your friend or someone in your family, you naturally click on that link. That propagates the attack."
Traditional antivirus protection doesn't help prevent clickjacking because it's a relatively new form of attack, being only about two years old, Correll said.
Preventing clickjacking attacks requires users trust no one.
"Break the inherent trust you have for friends' and family's online profiles," Correll recommended. "We should ask ourselves, 'Will my friend or family member really post that?' before clicking on something."
"Don't click on suspicious links, even if they've been sent or posted by friends," Facebook's Axten said.
"Ignore the 'Check Out the Best Beach Bods' link from your friend," Kevin Haley, director of Symantec Security Response, told TechNewsWorld. "It likely came from a hacker who broke into their account."
Users ignore requests from people they don't know, Haley recommended. They should also stay informed of Facebook's privacy settings and the changes they undergo, he said.