Friday, October 1, 2010

Latest Facebook Clickjacking Attack - This poor girl killed herself...

Clickjacking is really starting to be embraced by attackers since Jeremiah Grossman and Robert Hansen first spoke about it at OWASP NYC AppSec 2008. One of the primary targets for Clickjacking has been Facebook and most notably their new 'Like' feature which now appears on over 2 million websites.

Facebook page with clickjacking scam
Most of the 'Likejacking' attacks as they're commonly called, actually occur on third party websites but leverage the 'Like' button to promote advertising scams. Today however, we spotted a clickjacking attack directly on Facebook (within an IFRAME).

The scam appears within a Facebook page entitled 'This poor girl killed herself right after her dad posted this to her wall', which was still live at the time of this blog posting. When viewed, a user is first presented with a warning message, which is must first be accepted in order to display third party content within the following IFRAME:

http://girlkilledherself.leadhoster.com/suicide38/iframe.php

IFRAME with clickjacking attack
This is the clickjacking attack. Using a little social engineering, the victim is led to believe that they need to click on the numbered buttons in a particular order assuming that it's some form of CAPTCHA, designed to ensure that a human being is involved in the process. In reality, when selecting buttons a victim is posting this page to their wall and 'liking' the page. Both are efforts to further promote the scam. Users of NoScript will be protected as can be seen in the screenshots below as the plugin detects the fact that transparent images have been placed over the numbered buttons using the z-index property.

NoScript block screen revealing obfuscated 'Like' button

The overall purpose of the scam is fairly typical of clickjacking attacks that we've seen to date. When a user follows through and clicks on the buttons, they will unintentionally promote the page within Facebook and then be redirected to scams that the attacker presumably receives click-thru revenue from. It's always amazing to me how lucrative these attacks can be. As can be seen in the screenshot of people that 'like' the page, hundreds of people have already fallen victim and that number quickly grew as I wrote this post.
Victims of the scam

The sites ultimately being advertised range from software to car insurance.

Sites promoted by the scam

Fortunately this scam did nothing to infect a victim's PC, but I suspect that the victims are a little embarrassed that they fell for it...and Facebook is there to inform the world.

- michael
Posted by Michael Sutton at 8:12 AM

2 comments:

Anonymous said...

Thanks a lot for the information! I accidentally "liked" such a site, and now I've been looking around on the internet how to get rid of this shit. Do you know?

November 1, 2010 at 1:21 PM
Anonymous said...

thanks alot great help

December 6, 2010 at 11:28 AM

Post a Comment

Subscribe to: Post Comments (Atom)