A new clickjacking worm is spreading through Facebook via the ‘Like’ feature. The attack, which is said to have hit hundreds of thousands of users, uses a combination of social engineering and clickjacking exploit makes it appear as if a user has “liked” a link.
The messages that are being used in the link text include, “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE,” “This man takes a picture of himself EVERYDAY for 8 YEARS!!,” “The Prom Dress That Got This Girl Suspended From School” and “This Girl Has An Interesting Way Of Eating A Banana, Check It Out!”
When a user clicks on the text that appears to be “liked” he is taken to a blank page that just has the text, “Click here to continue.” Clicking anywhere on that page will then publish the same message to that users Facebook page.
This vector is extremely similar to the Fbhole worm that spread across Facebook ten days ago. Because users unwittingly end up recommending the offending page to their social graph, this is the type of worm that can spread extremely quickly.
Security firm Sophos has identified the linked pages as being infected with the Troj/iframe-ET worm. It doesn’t appear as if the worm does anything other than add likes to your feed, but if you’ve been infected, you’ll still want to take action.
Sophos recommends deleting any entries in your news feed related to the links and check your profile and info pages to make sure that no links or pages related to those sites have been added to your profile.
Reviews: Facebook, banana, iStockphoto