In the past few days I've had a number of people send me URLs that they received from friends on Facebook that seemed unusual and asked me what is this? In each of these cases, the answer was 'LikeJacking' - while this has been discussed in the security community for the last month or so (e.g., Sophos blog post), the general public seems fairly unaware of this technique. The term has been adopted enough, that there is a Wikipedia page for it, with a very straight-forward definition:
For those unfamiliar with Facebook's 'Like Button' - "The Like button enables users to make connections to your pages and share content back to their friends on Facebook with one click" additional details can be read here.
Many of the sites involved with LikeJacking are NSFW (contain nudity). However, below is a recent example of sites that I can safely take some screenshots of (sorry, no nudity on this blog):
Example: hxxp://tattooshaha.info/
Viewing the source of the site, we can see the META tags used for the information that will propagate to Facebook:
And a transparent iframe to for the visitor to 'Like' the site:
Why? Well the simple answer is to drive up the number of visitors to your site though Facebook 'Like' advertisement. For this particular example, clicking on the image directs users to hxxp://coolest-bathroom.info/tattoo/, and viewing the source of the page shows that JS source is loaded from cpalead.com:
The purpose of this campaign appeared to monetize click-throughs with cpalead.com:
I've seen this technique in play in a number of other LikeJacking campaigns, e.g.,
hxxp://www.101hottestwomen.com/
hxxp://102hottestwomen.com/
hxxp://103hottestwomen.com/video.html
hxxp://104hottestwomen.com/video.html
hxxp://105hottestwomen.com/video.html
hxxp://106hottestwomen.com/video.html
hxxp://107hottestwomen.com/video.html
hxxp://108hottestwomen.com/video.html
hxxp://109hottestwomen.com/video.html
hxxp://110hottestwomen.com/video.html
hxxp://111hottestwomen.com/video.html
The source of this one shows that if your visiting from Germany, Finland, or Spain IP you load from cpalead.com, otherwise you load from adscendmedia.com (CPA affiliate):
Blog de Zscaler
Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler
¿Este post ha sido útil?
Exención de responsabilidad: Este blog post ha sido creado por Zscaler con fines informativos exclusivamente y se ofrece "como es" sin ninguna garantía de precisión, integridad o fiabilidad. Zscaler no asume ninguna responsabilidad por errores u omisiones ni por las acciones que se tomen basándose en la información proporcionada. Cualquier sitio web o recurso de terceros enlazado en esta publicación de blog se proporciona únicamente por conveniencia, y Zscaler no se hace responsable de su contenido ni de sus prácticas. Todo el contenido está sujeto a cambios sin previo aviso. Al acceder a este blog, acepta estos términos y reconoce ser el único responsable de verificar y utilizar la información de manera adecuada según sus necesidades.
Explorar más blogs de Zscaler
Agniane Stealer: Dark Web’s Crypto Threat
The Impact of the SEC’s New Cybersecurity Policies
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler
Al enviar el formulario, acepta nuestra política de privacidad.