Clickjacking attack spreads virally across Facebook, Sophos reports

Sophos Press Release

Hackers exploit 'Like' functionality to promote third-party websites

IT security and data protection firm Sophos is advising Facebook users to be cautious following a widespread clickjacking attack that hit hundreds of thousands of users on the popular networking site over the holiday weekend.


Affected profiles can be identified by having apparently 'liked' links with titles including:

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

Clicking on the links takes Facebook users to a page with a single line of text reading: 'Click here to continue'. Clicking at any point on the page publishes the same message (via an invisible iFrame) to their own Facebook page in an attempt to aid the spread of the worm.

"What the hackers have done is really sneaky. They hide an invisible button under your mouse, so wherever you click your mouse-press is hijacked, secretly clicking on a button which tells Facebook that you 'like' the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally," explained Graham Cluley, senior technology consultant at Sophos. "Some of the pages ended up with hundreds of thousands of fans as a result. Facebook needs to tighten up the way it handles the 'liking' of external webpages before it is more widely abused by malicious hackers and spammers."

Facebook users that have been affected should view the recent activity on their news feed and delete entries related to the offending links. In addition, they should view their profile, click on the 'Info' tab and remove any of the offending pages from the "Likes and interests" section.

Sophos's Facebook group, which warns of emerging threats on Facebook, can be found at:

More information about the attack, including images, can be found on Graham Cluley's blog.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at