The Unwary Facebook

 

Clickjacking is an old method that (as its name stands for) hijacks user’s mouse clicks on a page in order to force ill-intentioned web activities. A hidden or transparent iframe is placed on top of a legitimate button which is most likely known by users. Once they click what they know to be there – usually a message box – they are immediately redirected to a different page and asked to fill in forms, confirm their credentials, answer some questions or further click other links. Of course, this page looks legit and trustworthy so that the unwary Internet user has no idea what happened.

Social networking platforms are mostly targeted by this kind of attacks. The explanation is simple: a lot of people use them for socialization reason; hence their popularity. Moreover, the extensive database of such a community lures a significant number of cybercriminals inciting their ill-intentioned creativity.   

The most recent Facebook clickjacker blends the documented feature of registering an anonymous "like" button without adding extra security checks with highly enticing comments, such as those depicted below:.

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School.""This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

 

Upon clicking the infamous “like” button, users access transparent iframe which sends them towards various blogspot.com-hosted web pages. In some cases, they reach an apparently blank page with a “click here to continue” message or they are asked to fill in a questionnaire. Due to Facebook’s popularity and their extensive user base, this social networking service has become not only a preferred target of information harvesters, but also the favorite playground for commercial purposes (such as disseminating adware, making users click on ads or filling in forms). Now imagine that each form filled by the unwary Facebook user brings the hijacker a specific revenue times the number of lured users and you’ll see why clickjacking is that popular.

Facebook has been notified and these abusive pages have been suspended.