Facebook Likejacking Attack

Facebook Likejacking attack

It’s been a while since I updated this blog. I’ve been busy in the past year so for now, I’m still finding a time to make one. ^_^

I want to share with you about the likejacking attack on Facebook. Basically, the likejacking is not new. It was publicly disclosed a long time ago maybe a year or so. I noticed that most likejacking attacks are not blocked by Security companies.

First what is likejacking?

Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like."^[1]

The term "likejacking" came from a comment posted by Corey Ballou^[2] in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.^[3]

~According to Wikipedia - http://en.wikipedia.org/wiki/Likejacking

And here is the example that I found today……….

I found the below post from my Facebook news feed.

Figure A

Clicking the link will open a new browser and go to the site miley-respect.info. When I analyzed the site, it contains code that several redirections takes place as below:

http://miley-respect.info -redirects_to- http://www.omg-girl.info/ -redirects_to- http://www.omg-girl.info/ -redirects_to- http://jerrynoob.info/np

Well if we think deeply there are several possible reasons why they are doing this kind of redirection chain.

1. Easy to change the end point of the attack.

2. Not easy to track if you only got the end point or before the end point domain.

3. And there’s much more… haha.

Then after the redirections and as of this writing, it will end up to the site http://jerrynoob.info/np

Below is the screenshot of the site.

Figure B

It is basically spoofing the Youtube. But that’s not it. What the users don’t know is the hidden agenda of this page. It has a hidden iframe that is not seen on the page using the below code:

If you’re not aware of this code, it basically hide the liking page of facebook example it hides the below gui:

Figure C

You will notice that this is not seen on the page (Figure A). The interesting part is the strategy use on how the user will like the page without knowing it. With regards the hidden iframe, it also contains code that the hidden iframe will follow the mouse pointer wherever it goes on the page. With this, since the user is aiming to watch the video, the user will just click the video play image and that makes clicking the hidden facebook like button (Figure C). Below is the code that does the trick on following the mouse pointer.

Moreover, after liking the site without knowing it there will be a new post on your Facebook news feed that you liked the page.

Figure D

In this case, your friends that saw the post that you liked the page may become interested and will do the same thing and get infected. This is like a WORM attack in Facebook that people get infected without their consent.

Well, that’s not all. After liking it there will be a popup of some kind a verification before viewing the video. As below.

Figure E

Well, most of these verifications end up getting your mobile phone number which may lead to a service subscription that charges your mobile account for money and the bad thing about it is it’s hard to unsubscribe which causes loss of money.

Figure F

This mobile subscription is legal, but as you can see, users finding it in a malicious way. So beware!

Another interesting part is after finishing this blog, there are more and more users liking it, yes that's means more and more facebook users are getting infected. As you can see in Figure C, when I started writing, it only has 2,619 likes. And now go on look below:

Figure G

Let see how it goes.

I believe there's more into this attack that myself is missing. Well, as of now, this is all I have.

BTW, If you think you are infected by this FB likejacking and want to remove the Facebook post from your news feed, go to the below URLs and click the Unlike button (Note: if you're not seeing the Unlike button just leave the page and DO NOT CLICK THE LIKE BUTTON):

http://www.facebook.com/plugins/like.php?href=http://miley-respect.info&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80

http://www.facebook.com/plugins/like.php?href=http://jerrynoob.info/np/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80

Thanks for reading. ^_^(BLACK BURN)

©2011, copyright BLACK BURN