Social engineering in progress: An interesting post of a friend pops up on your wall and you become curious, you click, you become a victim - and that’s how it works, the so called “likejacking”.
An infected profile looks like this:
The interesting topic of this example tries to lure users into “likejacking” by propagating the following: “After seeing this, you’re not going to drink Coke anymore” (translated from Spanish). There have been other attracting sentences before.
Overview: what happens when?
- Someone clicks on the link on a friend's Facebook wall
- The opened page orders the user to "click here to see"
- If the user clicks (anywhere on that page), he/she is redirected to smileycentral.com AND
- The visited page appears on the user's wall as well, to lure many more
A closer look at the details:
As soon as someone clicks the link in Facebook, a new page loads, which barely shows any content.
Dissecting the source code reveals that it does not matter where you click next, every click will activate the embedded iframe and will automatically forward you to a new page AND, more importantly, will send a back message to Facebook, saying that you “like” the page you just visited and show this information on your wall to lure the next victims.
The html code of this site includes everything a simple “like” button needs, as Facebook describes it - The respective iframe and the meta data for the feedback:
Our systems did not register malicious drive-by-download during the process, but we insist that you do not install the software offered on the target page. It is bundled with the adware MyWebSearch toolbar which is pretty tough to remove from a system again. One specification of this software is pop-up advertisement.
Who is infected?
A Google search for the sentence “Después de ver esto, no beberas coca-cola nunca mas” results in over 100 pages with victims who have this unwanted insertion on their page and offer a public profile with information about their “likes”:
Furthermore, a simple search in Facebook itself shows that there are other pages of exactly the same kind – and it shows an even higher number of people who most probably “like” the page involuntarily and spread the word about it. And the number is rising…
Customers using the G Data generation 2011 products are protected against this case of “likejacking”. Nevertheless… these websites spring up like mushrooms and every internet user should be aware that many of these funny and inviting posts that stir your attention involves a potential risk! So watch your click!!!
You were curious and clicked it?
Here’s what you can do to get rid of the page on your wall and delete it from your profile:
- Click on the
button - it appears when you move your mouse over to the right side of the entry on your wall. - Go to
in the upper right corner of the page, select “Edit friends” and then find “Pages” as a sub item of “Lists” in the lower menu on the left page. Here, you just have to click the “X” on the right side of the page you want to remove.