New Facebook Clickjacking Worm

Graham blogged about a Facebook clickjacking worm back in May which we dubbed Likejacking — for a number of weeks the threat ran rampant throughout Facebook. Since then, it has calmed down quite a bit and we don’t see much likejacking anymore. However, today we came across a new form of clickjacking where, instead of tricking the user into liking something, it tricks them into using the Facebook “Share” feature without requiring the user to acknowledge the fact that they’re sharing it.

It starts off on a suspicious looking Facebook fan page where they offer the opportunity to see the “Top 10 Funny T-Shirt Fails ROFL.” Once the page is loaded, it loads the appropriate tab and grabs the malicious script from an external domain that silently forces the user automatically share the page on their profile.

Users running the Firefox plugin NoScript who click on the Next button on step 2 will notice the following warning popup.

Had you not been running NoScript you’d notice, or more likely you wouldn’t notice, that your profile page would now have shared content linking users to a malicious domain. Clicking the link sends you to one of many fan pages all serving the exact same content. It seems a fan page is chosen at random.

Complete details with images in http://www.sophos.com/blogs/sophoslabs/?p=10716

Leave a Reply