Friday, March 4, 2011

Facebook Likejacking attack

It’s been a while since I updated this blog. I’ve been busy in the past year so for now, I’m still finding a time to make one. ^_^

I want to share with you about the likejacking attack on Facebook. Basically, the likejacking is not new. It was publicly disclosed a long time ago maybe a year or so. I noticed that most likejacking attacks are not blocked by Security companies.

First what is likejacking?

Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like."[1]

The term "likejacking" came from a comment posted by Corey Ballou[2] in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.[3]

~According to Wikipedia - http://en.wikipedia.org/wiki/Likejacking


And here is the example that I found today……….

I found the below post from my Facebook news feed.

Figure A

Clicking the link will open a new browser and go to the site miley-respect.info. When I analyzed the site, it contains code that several redirections takes place as below:

http://miley-respect.info -redirects_to- http://www.omg-girl.info/ -redirects_to- http://www.omg-girl.info/ -redirects_to- http://jerrynoob.info/np

Well if we think deeply there are several possible reasons why they are doing this kind of redirection chain.

1. Easy to change the end point of the attack.

2. Not easy to track if you only got the end point or before the end point domain.

3. And there’s much more… haha.

Then after the redirections and as of this writing, it will end up to the site http://jerrynoob.info/np

Below is the screenshot of the site.

Figure B

It is basically spoofing the Youtube. But that’s not it. What the users don’t know is the hidden agenda of this page. It has a hidden iframe that is not seen on the page using the below code:


If you’re not aware of this code, it basically hide the liking page of facebook example it hides the below gui:

Figure C

You will notice that this is not seen on the page (Figure A). The interesting part is the strategy use on how the user will like the page without knowing it. With regards the hidden iframe, it also contains code that the hidden iframe will follow the mouse pointer wherever it goes on the page. With this, since the user is aiming to watch the video, the user will just click the video play image and that makes clicking the hidden facebook like button (Figure C). Below is the code that does the trick on following the mouse pointer.


Moreover, after liking the site without knowing it there will be a new post on your Facebook news feed that you liked the page.

Figure D

In this case, your friends that saw the post that you liked the page may become interested and will do the same thing and get infected. This is like a WORM attack in Facebook that people get infected without their consent.

Well, that’s not all. After liking it there will be a popup of some kind a verification before viewing the video. As below.

Figure E

Well, most of these verifications end up getting your mobile phone number which may lead to a service subscription that charges your mobile account for money and the bad thing about it is it’s hard to unsubscribe which causes loss of money.

Figure F

This mobile subscription is legal, but as you can see, users finding it in a malicious way. So beware!

Another interesting part is after finishing this blog, there are more and more users liking it, yes that's means more and more facebook users are getting infected. As you can see in Figure C, when I started writing, it only has 2,619 likes. And now go on look below:

Figure G

Let see how it goes.

I believe there's more into this attack that myself is missing. Well, as of now, this is all I have.

BTW, If you think you are infected by this FB likejacking and want to remove the Facebook post from your news feed, go to the below URLs and click the Unlike button (Note: if you're not seeing the Unlike button just leave the page and DO NOT CLICK THE LIKE BUTTON):

http://www.facebook.com/plugins/like.php?href=http://miley-respect.info&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80

http://www.facebook.com/plugins/like.php?href=http://jerrynoob.info/np/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80


Thanks for reading. ^_^


====================================
Update - March 4, 2011 4:58 AM PST
See below, after couple of hours more and more FB users were infected.....

====================================
Update - March 4, 2011 4:45 PM PST
See below, again more and more FB users getting infected.....
====================================
Update - March 5, 2011 2:45 AM PST
See below, Sigh... more and more FB users getting infected.....
====================================
Update - March 5, 2011 1:18 PM PST
No need to worry about it anymore, the site is now blocked by Facebok.
Thank you for sharing this blog with your friends and for your comments. ^_^


15 comments:

  1. Thanks for the post, it's nice to know what's behind this facejacking crap

    ReplyDelete
  2. Good catch.
    I just shared this post on Facebook :-)
    Maybe it will help to break the chain.

    ReplyDelete
  3. Thanks for the thorough post.

    ReplyDelete
  4. thank you... i just got likejacked by this and found your blog after looking it up.

    ReplyDelete
  5. thanks... i just got likejacked by this and found your blog after googling the jerrynoob link.

    ReplyDelete
  6. I shared on fb as well. Hopefully people will catch on.

    ReplyDelete
  7. Postet on facebook, good job!

    ReplyDelete
  8. perfect :-)

    Thanks allot

    ReplyDelete
  9. Wow, thanks for posting this. I got the worm too ... now I'm de-wormed. I linked to this blog post as well. Maybe it will help.

    And BTW? Over 500,000 "likes" to this point. Yuck.

    ReplyDelete
  10. I got jacked this morning and now someone is trying to steal my credit card info but cannot locate the virus/trojan.

    ReplyDelete
  11. If this really connected to the stealing of credit card, that's interesting.... this means there's really more on this attack than mobile subscription.

    ReplyDelete
  12. It's back. A friend of mine just "liked" another Miley Cyrus link. Maybe FB blocked it, I don't know. But I'm not going to click it to find out.

    ReplyDelete
  13. Oops. It's not Miley Cyrus, it's Katy Perry. But whatever. Same dodge.

    ReplyDelete