“Hundreds of thousands of Facebook users have fallen for a social-engineering trick which allowed a clickjacking worm to spread quickly over Facebook this holiday weekend,” said Graham Cluley, senior technology consultant at Sophos, on the company’s blog.
Clickjacking -- also known as likejacking -- works by spamming Facebook users with such content as "LOL this girl gets owned after a police officer reads her status message” and “the prom dress that got this girl suspended from school."
Click on the link, and a user will go to a seemingly blank page that says “click here to continue.” But thanks to “an invisible iFrame,” said Cluley, clicking anywhere on the page actually republishes the attack content and link on the Facebook user’s status page, “in a similar fashion to the ‘Fbhole’ worm we saw earlier this month.” Fbhole likewise spread via Facebook status messages.
For anyone affected by the attack, Richard Cohen, technical lead for malware research at SophosLabs Canada, said there’s a two-step fix. First, “remove the page from your ‘likes and interests’ section. Next, “delete the page from your newsfeed -- it will probably be in the ‘Recent Activity’ section, but you may need to scroll down a bit to find it.”
This clickjacking attack follows a recent “Distracting Beach Babes” Facebook attack, which involved malware “posing as a video of young bikini-clad women on a beach,” said Cluley.
Clicking on the video’s link led to a rogue Facebook application -- going by such names as Avi Video, BluRay and Video Wave -- which offered to install the software required to view the “Distracting Beach Babes,” as the text leading to the malicious application characterized it.
Give the software permission to run, and it not only displays “a bogus message advising that you need to update your FLV player,” leading to an adware-download site, but also spreads by forwarding the video to everyone on your Facebook contacts list.
Accordingly to Sophos, there’s been a 70% rise in reported malware attacks via social networks from April to December 2009, with many organizations viewing Facebook as the riskiest of all social networking sites.
If Facebook is predicated on crowdsourcing news and opinions, could it be doing a better job of applying social networking to help spot and stop security outbreaks on its site? For example, Facebook security has yet to warn its users specifically about any of the above attacks by name or with any kind of description, referring only to there being “ several malicious applications” that it recently disabled.
According to Cluley, “Facebook needs to work harder both at preventing these kind of attacks from happening, and also better coordinating its response when an outbreak occurs.”