Security researchers are warning of the newest Facebook threat, something they’re calling “likejacking,” a Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook “likes.” These likes then show up on your profile and, of course, in your Facebook News Feed where your friends can see the link and click it, allowing the vicious, viral cycle to continue.
According to security firm Sophos, hundreds of thousands of users have already fallen for this new “likejacking” trick thanks to the clever and tantalizing linkbait the spammers use to entice people to click their links. For example:
“LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.”
“This man takes a picture of himself EVERYDAY for 8 YEARS!!”
“The Prom Dress That Got This Girl Suspended From School.”
After clicking through on a link, victims don’t get to see the promised content, but rather a blank page reading “click here to continue.” This page contains the clickjacking worm (Troj/Iframe-ET) embedded via an invisible link. Click anywhere on the page and the message is posted to your profile and News Feed, allowing the worm to further its spread.
This particular exploit is made possible by way of Facebook’s new like button and its associated developer code. According to the like button documentation, the buttons can be customized with meta data that includes things like the title of the Web page, the name of the website and the URL of a picture for the page. By customizing these fields, spammers and hackers can easily create links that are, in fact, malicious “likes.”
Told You So
The popularity of this particular attack vector is not surprising. Soon after the launch of the Facebook like button, we reported on its potential as a threat, noting how incredibly easy it is to create like buttons that link to anything on the Web – even pages you have never visited.
It was only a matter of time before spammers and hackers started exploiting this weakness for their own purposes. (Frankly, we’re surprised it took this long.)
The problem has to do with the overly simple way Facebook has implemented the “like button” feature. Non-developers can plug a URL into a wizard that generates code that can be copied and pasted anywhere on the Web. Like buttons created this way or manually, via handwritten code, will function properly even if they point to a webpage that’s on a different domain from the page where the button is being hosted.
Kyle Bragger, a Web entrepreneur who just launched Forrst, an online community for developers and designers, warned Facebook users of “like fraud” back in April by way of a personal blog post. To circumvent potential likejacking attempts such as these, he created a Facebook “like” bookmarklet that safely “likes” the page you’re on, allowing you to feel secure that you’re actually liking the real thing and not some shady linkbait. (Or likebait, if you will).
If you’ve been hit with this likejacking attack, the best you can do is remove the like from your profile and delete the post from your News Feed. You might want to apologize to your friends with a Facebook status update, too.