Clickjacking attack spreads virally across Facebook, Sophos reports

June 01, 2010 Sophos Press Release

IT security and data protection firm Sophos is advising Facebook users to be cautious following a widespread clickjacking attack that hit hundreds of thousands of users on the popular networking site over the holiday weekend.

  girlownedpoliceofficerstatusmessage

Affected profiles can be identified by having apparently 'liked' links with titles including:

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

Clicking on the links takes Facebook users to a page with a single line of text reading: 'Click here to continue'. Clicking at any point on the page publishes the same message (via an invisible iFrame) to their own Facebook page in an attempt to aid the spread of the worm.

"What the hackers have done is really sneaky. They hide an invisible button under your mouse, so wherever you click your mouse-press is hijacked, secretly clicking on a button which tells Facebook that you 'like' the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally," explained Graham Cluley, senior technology consultant at Sophos. "Some of the pages ended up with hundreds of thousands of fans as a result. Facebook needs to tighten up the way it handles the 'liking' of external webpages before it is more widely abused by malicious hackers and spammers."

Facebook users that have been affected should view the recent activity on their news feed and delete entries related to the offending links. In addition, they should view their profile, click on the 'Info' tab and remove any of the offending pages from the "Likes and interests" section.

Sophos's Facebook group, which warns of emerging threats on Facebook, can be found at: www.facebook.com/pages/Sophos/28552295016

More information about the attack, including images, can be found on Graham Cluley's blog.