14 DAY TRIAL // Localized scams are gaining more ground on Facebook and the success of a recent one is proof that non-English speakers are still uneducated about such threats.
The latest attack lures Italian users with an amateur video of a young man firing a gun at the San Pietrini police in Piazza del Popolo.
The message spammed by the victims reads: "Video amatoriali degli scontri a Piazza del Popolo che riprende un ragazzo mentre tira San Pietrini alla Polizia. DICIAMO BASTA A QUESTE VIOLENZE!"
The included link directs users to a page that displays a fake video player thumbnail and a fake comment stream of Italian-speaking users allegedly reacting to the footage.
Clicking the play button on the video triggers a "Like" action on the behalf of users without their authorization, thus propagating the scam.
This is done through an attack technique known as clickjacking which uses Web programming techniques to make a button invisible and position it on top of an innocuous looking one.
Therefore, the mouse clicks of users who believe they will perform a harmless action can be hijacked for malicious purposes.
Security researchers have coined the word likejacking to refer to clickjacking attacks that trick Facebook users into liking pages. According to Sophos, over 107,000 Italians have fallen to this one, whose ultimate purpose is to lure users to surveys.
The high number of victims is reminiscent of the early days of English Facebook scams, when every attack affected hundreds of thousands of users.
This suggests that non-English speaking users are not yet familiar with such threats, probably because they haven't been actively targeted in the past. It could also be that Facebook's automatic scam detection systems are more efficient for English than other languages.