Clickjack Schemes Running Rampant Through Social Networks

Webpedia defines “clickjacking” as “a vulnerability used by an attacker to collect an infected user’s clicks.” When someone’s account is infected, it will redirect the user to sites that could have malware, adjust computer code, or secretly inform people in your feed that you “like” a site because you’ve fallen prey to an interesting link which, when clicked, then encourages others to click on the same link, thus spreading the virus. If an item shows up in your Facebook news feed that claims you’ve “liked” it and encourage others to view it, you’ve probably been the victim of a clickjack scheme.

Recent clickjack attacks have appeared in the form of viral videos about Miley Cyrus, or they have suggestive or partially nude people in the screencap that’s shown, and a particularly virulent scheme making the rounds on Facebook falsely reported the death of actor Charlie Sheen. The profile of the person should be good for instant likes on the account of the product. The promotion of the products will be excellent through the like on the photos and videos.

Even worse are viral clickjacks that take advantage of interest in the recent tragedy in Japan. Less than a day after the 8.9-magnitude earthquake and resulting tsunami hit the island, bogus videos began circulating on Facebook that claimed to show a whale that had been “launched into a building” — a particularly sneaky and opportunistic attack, in light of the millions of people around the world who are trying to obtain the latest information about the disaster.

As early as October 2008, Adobe acknowledged that Flash was particularly vulnerable to attacks and identified clickjacking as “a critical issue”; Adobe responded by offering a workaround for versions of Flash 9.0 and earlier. Installation of Flash 10 seems to prevent most of the trouble, according to Jeremiah Grossman of White Hat Security, who was in part responsible for identifying the threat to Adobe Systems.

Other clickjack scams recently making the rounds on Facebook include: “This girl killed herself because her dad posted this video on her wall,” “From couple to family in 39 months” and “Girl accidentally sends dad SMS about her first time” — all of these are scams, and variations of each are popping up all over Facebook under a variety of names, which then direct you to complete a survey or submit personal information, such as a cell phone number.

Many similar attacks come in the shape of “likejacks” — copycat game application messages that are fake, and take advantage of the typical game play tactics that encourage players to be the first to click on the available goodies in their links. A popular target for these “likejackers” is the Zynga game Farmville, which generates a large number of posts for any player who engages in regular legitimate game play. Copycat posts will often feature freebies that look very similar to official game-generated items, and it’s sometimes difficult to stop these posts from becoming viral for that reason.

For now, the easiest way to prevent the spread of clickjack links is to delete posts you may have inadvertently made by clicking on one of these links. Be very wary of any site that asks you to give personal information or answer questions to get anything. Subscribe to a scam monitoring page like Sophos on Facebook, so that you get the latest news on scams. And, by all means, alert those people you see whose profiles or posts seem to have been clickjacked so they do not spread the posts to everyone else on their news feed.