Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Gone Phishin' On The Facebook

March 29, 2013 - 3 min read


Social Media sites are rife for exploitation and malicious intent.  They have become a staple of connectivity between colleagues, family, and friends to the point that they are in many cases the focal point of communication.  Chief among these social media sites, is Facebook.  Not quite professional a network as Linkedin, not quite as informal as Twitter. Facebook is a perfect storm of chat, image host, and blurbs about how delicious your friend's lunch was.  Of course the information you post on these networks is what makes them so juicy a target for scammers.

Clickjacking is a scam technique that tricks users into clicking on something they perceive as legitimate but it is actually designed to harvest a “Like” or a click through to something malicious.

These Facebook scams don’t hide nearly as hard as you might think.  More than likely you have one in your News Feed.  So let me drop some helpful hints on how to spot a Facebook scam:



  • Shared/Liked a link for something clearly Not Safe for Work.
  • Shared/Liked a link for ANYTHING related to Free ANYTHING.  Nothing in life is free, so don’t expect it on Facebook either.
  • Shared/Liked a link from a less reputable source.  Example: Tommy Boy shared a link from : OMG!! COUPONS!?!1! Free Ipads and more
  • Shared/Liked Video or pic is displayed differently than other pic or videos.
  • You are tagged in a post which has other seemingly random friends also tagged along with a shortened URL.

My example today will cover 3/5 of the above so let’s get started!





This immediately met my criteria for suspicion.  In a secure environment, and on my Dog’s Facebook account, I was feeling comfortable to explore further without putting my personal account at risk.







Clicking that ‘video’ link will immediately take you to a page that almost looks legitimate.  It has the Facebook navbar, but no chat bar.  To deter the more savy users from inspecting these elements further, the scammers have ensured that right-click is disabled.  The code for which looks like this:







Closer inspection of the source will reveal that it isn’t even a video, but an image of a video.  See:

Fortunately for this victim, the attackers were only after his like’s and not his account or computer.  Clicking through this ‘video’ triggers a ‘LikeJacking’ attack.  So far, 160 people have fallen for this scheme.

The attacker’s goal here is not to spread malcontent and chaos, but rather to make money by scamming affiliate marketers.  A ‘Like’ on Facebook requires no two step verification to ensure that the user in question indeed clicked ‘Like’.  The harvested ‘Like’s from the scam can then be used for any purpose they desire since there is no elaboration on what is actually being endorsed.  As you see in the above screenshot, this button could be attached to anything the scammers choose to give the impression that 160 people ‘Like’d something else.






Digging deeper into this scam it seems unlikely that this is the only instance of this on Facebook.  I did a quick look-up on the images hosted at and found that it was uploaded 7 months ago and has been seen 2,439,013 times at a combined bandwidth of 187.45 GB.







I’m no affiliate marketer, but I did some research and found that the common payout method for a pay-per-click offering should yield $290.35 a day given the time this scam has been running and the amount of views.








form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.