Tuesday, March 1, 2011

Clickjacking on Facebook

Another week is here with another means for scammers to utiliize Facebook's user-interactive malady, the "Like" button. Apparently, Facebook rightly seems to consider having to confirm that you "Like" something a little time-consuming. Due to this, it is a prime candidate for scammers to use for their ill-intent.

Lots of people follow celebrity goings-on and are excited when they think they're being directed via a Facebook fan-page to a rare video clip or photo which wasn't published through the normal, official channels. Because of this, misuse of such false links has become viral.

As explained in the following article by Sophos, a user can more easily protect themselves by installing the "NoScript" add-on for Firefox and the similar "NotScripts" for Google's Chrome browser. This allows you to choose when and where you want scripts to run so if you catch yourself on a page which looks a bit ...off...or not what you expected when you clicked the link to take you there, it is already blocking scripting until you give it the OK.

- Matthew Siers

*****************************************************


http://nakedsecurity.sophos.com/2011/03/01/lost-all-respect-for-emma-watson-facebook-clickjacking-attack-spreads-virally/

From Sophos' Naked Security: News. Opinion. Advice. Research

Lost all respect for Emma Watson? Facebook clickjacking attack spreads virally

RSS logoHi there! If you're new here, you might want to subscribe to the RSS feed for updates. X

Filed Under: Featured, Social networks, Spam

Emma Watson, the actress who plays the part of Hermione Granger in the Harry Potter movies, has found herself the subject of a clickjacking scam on Facebook.

Users of the social network have seen messages posted by their online friends claiming to have lost all respect for Emma Watson, after watching a video starring the young actress.

Emma Watson message on Facebook

I lost all respect for Emma Watson when I seen this video! Outrageous!

If you're curious enough to click on the link, your browser will be taken to a webpage which pretends to be a YouTube-style video site called FbVideo.

Emma Watson clickjacking page

If you've got this far, you'll probably be tempted to click to view the video. However, like the many clickjacking attacks we saw on Facebook last year, you will be invisibly clicking on a "Like" button without your knowledge, sharing the link further with your friends.

The page is designed to display a survey scam, which both earns money for the scammers and can trick you into handing over your mobile phone number to sign you up for a premium rate SMS service.

You can protect yourself from clickjacking threats like this by using browser plugins such as NoScript for Firefox.

But wouldn't it be great if Facebook required users to confirm that they wished to "Like" a webpage? That would make scams like have a harder time spreading virally via the social network.

By the way, other versions of the scam are using the names of Miley Cyrus.

Miley Cyrus Facebook message

If you find you have accidentally "Liked" an offending webpage, remove references to it from your wall and check your profile settings.

As Chet pointed out with a similarly-themed Justin Bieber clickjacking scam on Facebook, it can also make sense to logout from Facebook when you are not actively using it to reduce the chances of you being tricked into "Liking" things you don't really like.

If you're a Facebook user and want to keep up on the latest threats and security news why don't you join the Sophos Facebook page?

You could also do a lot worse than check out our best practices for better privacy and security on Facebook guide.

About the author

Graham Cluley is senior technology consultant at Sophos. In both 2009 and 2010, the readers of Computer Weekly voted him security blogger of the year and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which is very cool. His awards cabinet bulging, he was voted "Best Security Blogger" by the readers of SC Magazine in 2011. You can contact Graham at gc@sophos.com, or for daily updates follow him on Twitter at @gcluley.

No comments:

Post a Comment