Sophos Warns Of New Facebook Clickjacking Worm

In May, thousands of Facebook users were hit with a worm that spread by getting them to "like" a maliciously created Web page that would then proceed to infect their PCs with malware. This time around, a new worm is tricking users into recommending malicious content to other users via Facebook's "share" feature.

The worm propagates by luring users to one of many Facebook fan pages -- for example, "Top 10 Funny T-Shirt Fails ROFL." When the page loads, users are asked to prove they're human by clicking through a series of three steps.

But when the user clicks, they're actually pulling a malicious script from an external domain which silently shares the link to their profile page, according to Onur Komili, a researcher with SophosLabs' Canada division.

"If you happen to be one of the people who fell victim to this scam be sure to click the 'Remove' option to clear the content from your profile. This will help prevent friends of yours from being compromised and possibly falling victim to the scam," Komili said in a Wednesday blog post.

Sponsored post

The third and final step asks users to complete an online survey, which has also been part of the myriad "dislike" button scams that have been circulating on Facebook this month. However, filling out the survey has worrisome implications for users, warned Komili.

Scammers typically use the information gathered in the surveys to generate revenue and pad their ill-gotten gains, but in this case, Facebook users are also asked to provide their cell phone numbers. If they comply, they're automatically signed up for a paid phone service that charges them $5 per week via their wireless carrier, said Komili.

"Unfortunately most people won't read the fine print and will willingly hand over the information and likely won't notice the charges until the end of the month," Komili said in the blog post.

Komili did credit Facebook with removing all of the fan pages associated with the threat, adding that Sophos is blocking the malicious domain for its customers and working on publishing detection of the Sharejacking threat as Troj/FBJack-A.

The term "clickjacking" refers broadly to the practice of getting users to click on a link they think they want, but is actually rigged to take them somewhere else -- most often to a malicious site infects their machines with malware.