Facebook Likejacking Scams Lure Users with Japanese Tsunami Videos

Security researchers from Sophos warn of multiple Facebook clickjacking scams that force users to Like rogue pages by using fake Japanese tsunami videos as lure.

After a devastating tsunami resulting from a 8.9-magnitude earthquake hit Japan last week, security experts knew that it was only a matter of time until scammers would start exploiting it.

First came the black hat SEO campaigns and now the Facebook likejacking scams that use clickjacking techniques to steal Likes.

For example, one such scam is currently being propagated through messages reading "Japanese Tsunami Launches Whale Into Building. You won't believe this! Crazy Footage!"

It would indeed be impressive to see a wave launching whales into buildings, but unfortunately, this is only ruse to lead people to a fake YouTube spoof website.

The rogue page displays a video thumbnail and reads "Please Watch this video only if you are 16 years or older" and clicking on the play button prompts users to verify their age by completing a survey.

More importantly, in the background and without user approval, it hijacks clicks and uses them to Like the page.

This type of attack, known as likejacking (like + clickjacking) uses classic user interface redressing tricks where CSS and other Web programming techniques are abused to make the Like button invisible and position it over another element on the page.

A similar scam seen over the weekend uses a "Japanese Tsunami RAW Tidal Wave Footage" message to lure users.

"If you made the mistake of clicking on a link spread via a scam message like the one listed above, you should check your Facebook news feed and remove any offending links that you might have spammed out to your friends," advises Graham Cluley, senior technology consultant at Sophos.

Meanwhile, security researchers from cloud security provider Zscaler have created a bookmarklet that works in most browsers and can be used to uncover clickjacking attacks. However, it does require some technical knowledge on the user's behalf.