Yesterday Facebook and Washington State Attorney General Rob McKenna filed dual lawsuits against co-owners of Adscend Media, LLC, which Facebook Security claims is an ad network “that is alleged to develop and encourage others to spread spam through misleading and deceptive tactics, including the one known as clickjacking.”
Clickjacking (a.k.a. likejacking) is a technique that tricks users into clicking on an invisible “Like” button. Naked Security’s Graham Cluley explains that this button “follows their mouse across the screen, not realizing that they are recommending the webpage to all of their Facebook friends.” It relies on a code hidden in links. It activates the Facebook “Like” function, dropping the spam onto the news feeds of the users’ friends. The scam spreads as soon as the Facebook user clicks on a link. Facebook users who take the bait are lured to outside websites that ask them to submit personal information.
Interestingly, likejacking “takes advantage of a vulnerability in the browser that permits malicious actors to make the ‘Like’ button invisible,” according to Facebook.
Previous Facebook scams like the Justin Bieber, abused dog and naked grandma attacks, have utilized browser vulnerability to infect users’ Facebook accounts.
“The natural reaction is to wonder why anyone would click on these links,” says Assistant Attorney General Paula Selis of the Consumer Protection High-Tech Unit. “But, unfortunately they do, and at one point Adscend spam lined the defendants’ pockets with up to $1.2 million a month.”