14 DAY TRIAL // The clickjacking attacks that plagued Facebook this past weekend have made a comeback. Security experts warn that the new spam messages touch on popular subjects such as the World Cup, the BP leak, the new Shrek movie and the UFC games or celebrities like Justin Biebers or Hayley Williams.
Celebrity gossip has always been a good ruse for cybercrime and the recently leaked intimate photo of Paramore lead vocalist Hayley Williams is bound to attract some attention. That's why the latest clickjacking run on Facebook forces victim to "Like" a link called "Paramore n-a-k-ed photo leaked!"
But Ms. Williams is not the only celebrity whose popularity is being exploited by these attackers. The massive fan base of teen sensation Justin Biebers has also been targeted under the pretense of revealing the star's address and phone number. Users who fall for this scam will publish "Justin Biebers Phone Number Leaked!" back on their Facebook page.
In both cases visiting the link will open an external page that is rigged with code that uses a clickjacking trick to trigger an unauthorized action. "What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you're also secretly clicking on a button which tells Facebook that you 'like' the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally," explains Sophos' Senior Technology Consultant, Graham Cluley, who puts the number of affected users into the thousands.
Meanwhile, Richard Cohen, the technical lead for malware research at SophosLabs Canada, has dug a little deeper and uncovered more Facebook clickjacking campaigns that abuse topics of interest. For example, some of them promise to allow users to view "WORLD CUP 2010 in HD" or a "Top Secret Video you’ve NEVER seen" concerning the BP oil spill. Others falsely claim to be offering the ability to "Watch UFC 114 Online" or "Shrek: Forever After" for free.
If you are amongst the users affected by any of these attacks, you are advised to remove any mention of these links from your profile and newsfeed and consider the links you are about to visit very carefully, even if your friend posted them. Firefox users can protect themselves by installing the NoScript extension, which is able to stop clickjacking attacks out of the box.
You can follow this editor on Twitter @lconstantin