A clickjacking worm that forced hundreds of thousands of unsuspecting Facebook users to unknowingly post spam messages on their profiles, rapidly spread through the social networking website over the weekend. The worm used catchy news headlines to lure its victims into the trap.
Clickjacking is a Web attack technique that involves hijacking users' mouse clicks on a page (hence its name) and using them to trigger unauthorized actions. The attack is technically known as user interface (UI) redressing because it hides a clickable object, such as a button, by making it transparent and superimposing it over a non-dangerous looking one.
Though not new, the technique was only brought into the public attention last year, when reputed Web security researchers Jeremiah Grossman and Robert Hansen disclosed some critical attacks based on it. One of them allowed ill-intent hackers to turn on a computer's Web camera and microphone by exploiting a bug in the Flash Player Settings Manager.
The latest Facebook worm seems to be a proof of concept, becuase it does nothing destructive and its only purpose is to propagate. The offending messages posted on its victims' profiles are based on real and catchy news topics from the past several months. "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School", or "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" are some of the examples.
Clicking on the messages takes users to external pages hosted at blogspot.com, which only display a text that reads "Click here to continue." However, clicking anywhere on the page abuses a user's active Facebook session to publishing a spam message back to his profile.
"The trick, which uses a clickjacking exploit, means that visiting users are tricked into 'liking' a page without necessarily realising they are recommending it to all of their Facebook friends. […] If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your 'Likes and interests' section," advises Graham Cluley, senior technology consultant at Sophos, who's antivirus products detect this threat as Troj/Iframe-ET.
To protect themselves, Mozilla Firefox users can install and use NoScript, a browser extension, which includes protection against clickjacking attacks, amongst others.