By: Michael Sutton

Latest Facebook Clickjacking Attack - This Poor Girl Killed Herself...

Click Fraud

Clickjacking is really starting to be embraced by attackers since Jeremiah Grossman and Robert Hansen first spoke about it at OWASP NYC AppSec 2008. One of the primary targets for Clickjacking has been Facebook and most notably their new 'Like' feature which now appears on over 2 million websites.

Most of the 'Likejacking' attacks as they're commonly called, actually occur on third party websites but leverage the 'Like' button to promote advertising scams. Today however, we spotted a clickjacking attack directly on Facebook (within an IFRAME).

The scam appears within a Facebook page entitled 'This poor girl killed herself right after her dad posted this to her wall', which was still live at the time of this blog posting. When viewed, a user is first presented with a warning message, which is must first be accepted in order to display third party content within the following IFRAME:
 

http://girlkilledherself.leadhoster.com/suicide38/iframe.php
 
 
This is the clickjacking attack. Using a little social engineering, the victim is led to believe that they need to click on the numbered buttons in a particular order assuming that it's some form of CAPTCHA, designed to ensure that a human being is involved in the process. In reality, when selecting buttons a victim is posting this page to their wall and 'liking' the page. Both are efforts to further promote the scam. Users of NoScript will be protected as can be seen in the screenshots below as the plugin detects the fact that transparent images have been placed over the numbered buttons using the z-index property.

 

The overall purpose of the scam is fairly typical of clickjacking attacks that we've seen to date. When a user follows through and clicks on the buttons, they will unintentionally promote the page within Facebook and then be redirected to scams that the attacker presumably receives click-thru revenue from. It's always amazing to me how lucrative these attacks can be. As can be seen in the screenshot of people that 'like' the page, hundreds of people have already fallen victim and that number quickly grew as I wrote this post.

The sites ultimately being advertised range from software to car insurance.

Fortunately this scam did nothing to infect a victim's PC, but I suspect that the victims are a little embarrassed that they fell for it...and Facebook is there to inform the world.


- michael

Learn more about Zscaler.