It all starts with a Facebook post that reads something like “At 15, she did that in public high school every day.” The next thing you know, all your friends are informed that you liked the post, even if you didn’t actually press the Like button.
Security expert Troy Hunt explains the inner workings of such a Facebook worm.
First of all, the crooks rely on open redirection flaws to trick victims into thinking that they’re about to visit a Facebook page, when in fact they’re taken to some shady website.
This landing page replicates the social media website, but in reality it has nothing to do with Facebook. Furthermore, the video window that’s displayed on it has nothing to do with YouTube or other video sharing website.
However, when the play button is pressed, the victim is actually pressing a hidden Like button associated to the malicious post. This is what’s called clickjacking, a clever trick deployed by fraudsters who want to hide their devious plans.
When users press the play button, they’re taken to a survey website which earns a commission for the scheme’s mastermind. In the meantime, all their friends get to see that he/she liked the Facebook post and get sucked in as well.
Hunt had found that the “she did that in public high school every day” scheme is already indexed on over 31,000 pages. He has also discovered that not only inexperienced users have clicked on the links, but also professionals who should have known better.
The bottom line is that the posts don’t appear on Facebook Walls/Timelines unless the fake video’s play button is pressed. This means that the embarrassing messages will not be displayed for anyone to see as long as the victim isn’t really curious about the outrageous video.
If you’re interested in the technical details of how the Facebook worm works, check out Troy Hunt’s blog post.