Facebook hit by more clickjacking attacks

Facebook has been hit by yet more clickjacking attacks, forcing users to 'Like' webpages on the social networking service.

Numerous users' Facebook profiles have been updated by the attack to say they like a webpage with the seductive title of 101 Hottest Women in the World, Sophos has reported.

The technique, which the security firm has dubbed "likejacking", hides an "invisible button" under a user's mouse meaning that wherever they click on the webpage, the click is captured by the hackers running the operation. This then tells Facebook that the user likes the webpage without them knowing it.

Graham Cluley, senior technology consultant at Sophos, explained that the people behind the attack are simply trying to make money.

"The site is part of the CPALead advertising network, popping up a survey asking for personal information and helping to generate revenue for those behind this scam," Cluley said in a blog post.

It was just last month that the security expert picked up on a similar attack that hit over the second May bank holiday.

A Facebook spokesperson told IT PRO that the social networking giant is constantly working to improve its systems and is building additional protections against this kind of behaviour.

"In recent weeks we've taken action to block a number of URLs associated with malicious content, and we're cleaning up the relatively few cases where these URLs have been posted. Overall, an extremely small percentage of users have been affected by this. As always, we're asking people not to click on suspicious links," the spokesperson added.

User response

Despite Facebook's claims, 95 per cent of respondents to a Sophos poll have said that the social networking firm is not doing enough to stop clickjacking attacks.

"What's clear is that Facebook needs to set up a proper early-warning system to alert users about breaking threats," Cluley added.

"It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook, rather than Facebook's own security pages."

Another hijack attack

Sophos has also picked up on another Facebook threat that has enticed over 190,000 people into clicking a link from a rogue application.

Once the link is selected, users are redirected to a page promoting an application claiming to show a video of a teacher assaulting a student.

Those who attempt to follow the instructions to view the video will allow the application to access their profile and repost a spam message on their wall, advertising the ostensibly shocking footage.

Cluley warned that other spam sent from a hijacked account could be designed to spread malware or phish friends' password details.

Those hit by the attack should check their privacy settings and take the application off of their profile, the security guru recommended. He also advised deleting any posts that the application may have placed on users' news feeds.