Clickjacking is really starting to be embraced by attackers since Jeremiah Grossman and Robert Hansen first spoke about it at OWASP NYC AppSec 2008. One of the primary targets for Clickjacking has been Facebook and most notably their new 'Like' feature which now appears on over 2 million websites.
Most of the 'Likejacking' attacks as they're commonly called, actually occur on third party websites but leverage the 'Like' button to promote advertising scams. Today however, we spotted a clickjacking attack directly on Facebook (within an IFRAME).
The scam appears within a Facebook page entitled 'This poor girl killed herself right after her dad posted this to her wall', which was still live at the time of this blog posting. When viewed, a user is first presented with a warning message, which is must first be accepted in order to display third party content within the following IFRAME:
The overall purpose of the scam is fairly typical of clickjacking attacks that we've seen to date. When a user follows through and clicks on the buttons, they will unintentionally promote the page within Facebook and then be redirected to scams that the attacker presumably receives click-thru revenue from. It's always amazing to me how lucrative these attacks can be. As can be seen in the screenshot of people that 'like' the page, hundreds of people have already fallen victim and that number quickly grew as I wrote this post.
The sites ultimately being advertised range from software to car insurance.
Fortunately this scam did nothing to infect a victim's PC, but I suspect that the victims are a little embarrassed that they fell for it...and Facebook is there to inform the world.
- michael
