14 DAY TRIAL // Security researchers from Sophos warn of a new clickjacking attack, which employs advanced social engineering to trick Facebook users into advertising rogue pages.
The spam messages posted from the affected accounts read "Cheerleaders gone wild – have to see this" and contain a link and a picture of an attractive girl with pom-poms.
Clicking on the link takes curious users to a rogue Facebook page, which displays a legit-looking warning prompt.
"The content you are about to view may be inappropriate for some users. […] To view this content, please verify that you are 18 or older by pressing Confirm button below," it reads.
Clicking Confirm triggers an alleged security check, which asks users to click three buttons in a specific order, ironically to verify that they are not a spam bot.
Complying with this request forces users to share the spam link on their wall and also like additional rogue pages called "Funniest Videos On The Web" and "Free ringtones everyday."
This type of attack is called clickjacking and works by positioning hidden buttons, such as the "Share" or "Like" ones, on top of other page elements that look legit.
Unlike most Facebook scams that promise shocking content and never deliver it, after the clickjacking attack, the page actually loads a video with cheerleaders from YouTube. This is done in order to avoid users getting suspicious.
They might be disappointed, since the video is not "inappropriate" as advertised, but chances are that they won't observe the rogue pages they unknowingly liked.
"If you were hit by this latest Facebook scam, clean up your profile and remove references to the 'Cheerleaders Gone Wild' and other pages," Graham Cluley, a senior technology consultant at Sophos, advises.
"You should always be wary of suspicious out-of-character posts made by your Facebook friends," the security expert notes.