Facebook Clickjacking

Hello folks,

I didn’t  imagine someone on *my* friends list will succumb to this attack, but apparently someone did… The URL is http://www.facebook.remove$me.com/pages/br-mhtwknyt-sms-zwkrym-qblw-yk-hw-nyrh-hywm/155174351168661

To fall for the attack, if you can’t read Hebrew – click on the right-most box in the page, then click on the big purple box with the green writing. You will notice a page with instructions, that translates to: “Dear viewer, due to the high number of hits we must make sure you’re human. Press the blue button, then the green then orange and finally red”. If you look at the lower left side, in characters 8px high, it has a disclaimer saying that by clicking on these buttons you allow the site to “like” in your behalf and publish in your profile. Completing the picture is the Facebook logo making the whole affair somewhat official. Nice social engineering job.
Firefox’s NoScript plugin successfully prevents the attack from taking place and also reveals the hidden UI underneath. The first button hides a “Like” button,  so the attack is self-perpetuating. Does that make it a worm? On one hand, it does self-perpetuate with the aid of the unsuspecting user (much like the user-assisted email worms). On the other hand, it doesn’t copy itself (the payload), so deleting it in one location will render the entire infection void.

Another, more interesting question is the follow-the-money question: Why would the attacker follow through with this attack? What is the incentive? The target link seems to be an SEO created website, so the incentive seems to be higher ranking and therefore higher revenue.

– Arik