A variety of scams recently made the rounds on Facebook that consisted of new and old topics. The newest scam involved the omnipresent pop star Justin Bieber. It used the promise of an exclusive video as its front. Although Facebook has clamped down on the scams, they did manage to affect some viewers prior to detection.
The Justin Bieber scam was detailed in a blog post by M86 Security Labs. It involves a Facebook post that states, “I can't believe a GIRL did this because of Justin Bieber.” The post appears on walls and in users' status updates across Facebook, and includes a link to a supposed video featuring Bieber.
If a user clicks on the link to the video, they are taken to a page with an appearance similar to YouTube that says, “Please watch this video only if you are 16 years or older.” While clicking on the video may appear to be a harmless action, there is actually a hidden iframe embedded in the area. The iframe is linked to Facebook's “like” feature, so clicking anywhere on the video to play it actually results in the user “liking” the video. By liking the video, the user unintentionally posts it on their wall. This increases the video's exposure to the user's Facebook friends, and allows it to spread even further across the social network.
The scam does not stop with the clickjacking attack, however. It continues with the appearance of a phony Facebook dialog box. The box asks the user to complete a survey to verify their age. Instead of verifying their age, the user is actually given a survey riddled with links to auto insurance sites. Facebook claims it has put a stop to the scam, but there are other variations that are still spreading.
The hidden iframe method employed in the Bieber scam is that of a clickjacking attack. Clickjacking has been used on Facebook in the past; it tricks users into clicking on areas of the page that are covered with hidden iframes. Hackers use hot topics or products to capitalize on their popularity in the hopes of spreading their scams to as many victims as possible. The use of Justin Bieber in this case is a perfect example of such exploitation.
The Bieber scam was not the only one causing a nuisance for Facebook users. Other scams, some of which have been used before, were detected as well. It is not known if they were clickjacking attacks, but they centered on topics such as free tickets from Southwest Airlines and free iPads. One of the scams used a Miley Cyrus video as bait.
Since clickjacking attacks exploit weaknesses in browsers, Facebook is somewhat helpless in preventing them. The social network does have systems in place to detect compromised accounts, and also blocks or deletes posts and links that are deemed to be malicious. To protect yourself from clickjacking attacks, avoid clicking on suspicious links.
For more on this topic, visit http://news.cnet.com/8301-27080_3-20037827-245.html?tag=mncol;txt.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More Web Hosting Security Articles
More By wubayou