This will be fast, if you're not familiar with Facebook likejacking, please see my previous blog about it.
Just now, I found another site which have the facebook likejacking attack. Below is the screenshot of the site as of this writing (Figure A).
Website: http://video.findisuper.com/lol-dieser-frau-kann-man-keinen-wunsch-abschlagen/
Figue A. The Site
Well, the same technique used from my previous blog that contains code to make the hidden iframe follow the mouse pointer Below is the code.
Figure B. Mouse Event
The interesting part is instead of using the Facebook like plugin that is usually used from the previous likejacking attack that I know, in this site, it uses a script from Facebook and a certain Facebook API
Facebook Like Plugin (previously used):
http://www.facebook.com/plugins/like.php?href=
It uses the below code to have a hidden iframe which points to fbLike.html
Figure C. Hidden Iframe
The below code from fbLike.html shows the liking of page GUI in a different way (instead of Facebook Like Plugin). This will be hidden from the site because it is loaded via hidden iframe ( from Figure C).
Figure D. fbLike.html
I believe they are doing this new approach to avoid detection from Security Softwares because basically, the Facebook Like plugin is easy to detect that when it is hidden and added some additional filter, it can be tagged as malicious. But this time, since it doesn't use the Facebook Like plugin, I believe it will not be detected.
Once a facebook user has been attacked by this likejacking, A message on the user's facebook wall will be posted that the user likes the page, example below:
Figure E. User's wall
If you suspect you've been infected by this attack, just go with the below link and click the UNLIKE button (note: If there's no UNLIKE button, DO NOT CLICK THE LIKE BUTTON)
When I started this blog the users that liked the page as below:
Upon finishing the blog, see the below stat:
Thanks for reading. ^_^
Nice post Athan...
ReplyDelete