June 4, 2010

More ‘Clickhacking’ Issues For Facebook Users

Droves of Facebook users are falling prey to "clickjacking" attacks through links that appear to have been "liked" by their friends, web security labs are warning.

Hundreds of thousands of users have been affected by the attacks. Clicking the link tricks users into recommending the site on Facebook too.

Currently the purpose of clickjacking is "trivial" and does not actively result in any malware or phishing attacks, Graham Cluley, senior technology consultant at Sophos, told BBC News.

The links take users through to a page containing instructions, like asking them to click a button to confirm they are over 18. However, wherever they click on the page, it adds a link to their own Facebook profile saying they have also "liked" the site.

"At the moment the attacks which we've seen are more like old-school viruses - written for the heck of it to see how many fans they can get," said Cluley.

"But our feeling is that it would be fairly easy for the bad guys to introduce some revenue generation for themselves," he added.

Cluley said clickjacking works on all computer systems. The attack uses iFrames, which essentially places an invisible button over the entire web page, so that no matter where the user clicks, they end up hitting the invisible button.

A free plug-in called NoScript for the Firefox web browser has pop-up warnings about potential clickjacking attacks. However, it will also query on Flash videos, commonly used by many websites.

The plug-in is not that easy to install either, said Cluley, noting that "you have to be a little bit nerdy to configure it."


On the Net: