Facebook Clickjacking Worm Infects Thousands


A Facebook clickjacking worm plagued hundreds of thousands of users throughout the long weekend and into the week, spreading malware and unwanted code onto users' computers when they clicked a link that indicates they "like" the maliciously created Web page.

Security experts at Sophos, which reported the attack, say that Facebook "likejacking" worm used Hayley Williams, the lead singer of the rock band Paramore, as a lure to spread a worm that infected hundreds of thousands of users over the holiday weekend, according to estimates.

During the "clickjacking" attack, which is also known as "likejacking," a link claims to connect the user to a Web site containing a naked photo of Paramore lead singer Hayley Williams.

Once users click on the "like" button, they are taken to a third-party Website which displays a message "Click here to continue if you are 18 years of age or above."

Other attacks took users to to a mostly blank page with a single line of text that read "Click Here To Continue." Users become infected with malware if they click on the page, while Facebook publishes the same message via an invisible iFrame to their own Facebook profile.

Researchers at Sophos said that hackers were able to launch the attack by hiding an invisible button under the mouse, which infects users when they click anywhere on the malicious Web site. Once a Facebook clicks on the "like" feature, the link is automatically posted to their own Facebook profile, and the exploit ultimately spreads as other online friends "like" the same page.

"Attacks like this can spread very, very fast," said Graham Cluley, Sophos senior technology consultant, in a blog post Wednesday. "Judging by the number of message I've seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first in a 'likejacking' trap."

Other messages sent by the attackers over the Memorial Day weekend have included "This girl gets OWNED after a POLICE OFFICER reads her Status MESSAGE,' "This man takes a picture of himself EVERYDAY for 8 YEARS,""The Prom Dress That Got this Girl Suspended From School," "This Girl Has An Interesting Way Of Eating A Banana. Check It Out."

"In the past the attack has been a Trojan or a fake AV, it usually came in the form of a wall message," said Beth Jones, senior threat researcher at Sophos. "In this case, it was actually more of a redirect before it actually made it to the payload."

Cluley suggested that users view recent activity on their Facebook news feed, and delete entries related to the malicious links. He also recommended that users click on their Info tab on their personal profile and remove any of the links connecting to Web pages via their "likes and interests" section.

Jones said that the Facebook's recent privacy changes likely wouldn't keep users safe from the 'likejacking' attacks, and advised users to know what applications they're clicking on before they click the 'like' button.

"User education is really knowing what it is you're looking at and clicking on. Check the application list. If you don’t' recognize the application, you can delete it," she said.

Meanwhile security experts say that the recent round of "likejacking" attacks indicate that Facebook should further implement security controls on the popular "like" feature on its platform, before malware copycats follow suit.

"It's clear that Facebook needs to tighten the way it handles the "liking' of external Web pages before it is even more widely abused by malicious hackers and spammers," Cluley said.