“Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.” (By OWASP)
As I understand Likejacking, it works like this: With the help of programming techniques the Like button is invisible and positioned over another element on the page, and when you are clicking to the desired content you unwillingly “like” the site and via Facebook share it with your friends through News Feeds and your Wall.
Or as Sarah Perez (2010) puts it:
“Security researchers are warning of the newest Facebook threat, something they're calling "likejacking," a Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook "likes." These likes then show up on your profile and, of course, in your Facebook News Feed where your friends can see the link and click it, allowing the vicious, viral cycle to continue.”
She also warns from the malicious software embedded in the site:
“After clicking through on a link, victims don't get to see the promised content, but rather a blank page reading "click here to continue." This page contains the clickjacking worm (Troj/Iframe-ET) embedded via an invisible link. Click anywhere on the page and the message is posted to your profile and News Feed, allowing the worm to further its spread.” (Perez, 2010)
The lures that are used to trick the unknowing internet user are different: From entertaing topics such as:
"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
"This man takes a picture of himself EVERYDAY for 8 YEARS!!"
"The Prom Dress That Got This Girl Suspended From School."
(by Perez)
(by Jackson)
to tragic events like the Indonesian Tsunami in 2004, the death of Michael Jackson and recent events in Japan.
The problem of likejacking is, that Facebook offers it a tremendous opportunity to spread fast. Jackson (2011) puts it like this:
“Scams like this used to be called clickjacking, but Facebook has made it a lot easier for these little tricks to go viral, spreading to hundreds of thousands of users within a matter of minutes. Because the site, which now has more than 600 million active users, has changed the game for scammers by providing such scale, the term has been modified to Likejacking when it applies to Facebook.”
The other problem is the abuse of personal information stored on Facebook or unaware of the threat submitted to the scammer/“hijacker” via a survey, one is asked to fulfil in order to look at the promised content (Jackson, Halsey).
What you can do about it is quite simple: Once you realise you have been scammed, you should delete the like and the News Feed from your Facebook profile and possibly apologise to friends. And as Jackson advises if you have your phone number posted on Facebook you should keep an eye on your bill, just in case.
If we avoid the ethical question of abusing tragic events for such scams and rather focus on the question of privacy and personal data abuse, one can experience through malicious software on the internet, we can conclude that there is not enough emphasis put on the dangers one can undergo through innocent social community sites like Facebook.
People are constantly instructed not to talk to strangers, to check the ATMS before they use them, not to give their personal data or even credit card data via phone and lock the doors and possibly bolt them as well.
But then in the secure environment of our living rooms we open a window to the scammers that await us on the internet.
I don't want to sound paranoid so maybe it would be best to stop right now. I'm not aware of any school programmes that would instruct minors what information they should share with their friends online. And obviously no one is troubled by the fact, that even though Facebook demands that their users are at least 13 years old, many children lie about their age, just to be a part of the “society”.
What are your thoughts on the matter?
Sources:
OWASP (2011) “Clickjacking”
at: http://www.owasp.org/index.php/Clickjacking
Jackson, Nicholas (14.3.2011) “FouTube and Other Viral Likejacking Facebook Scams”
at: http://www.theatlantic.com/technology/archive/2011/03/foutube-and-other-viral-likejacking-facebook-scams/72426/
Perez, Sarah (1.6.2010) “Likejacking” Takes Off on Facebook.
at: http://www.readwriteweb.com/archives/likejacking_takes_off_on_facebook.php
Constantin, Lucian (14.3.2011) Facebook Likejacking Scams Lure Users with Japanese Tsunami Videos
at: http://news.softpedia.com/news/Facebook-Likejacking-Scams-Lure-Users-with-Japanese-Tsunami-Video-189204.shtml
Halsey, Mike (2011) Facebook users become the latest vistims of the Japanese Tsunami
at: http://www.ghacks.net/2011/03/14/facebook-users-become-the-latest-victims-of-the-japanese-tsunami/
I totally agree with you and I share your concerns. These kinds of scams are very widespread on Internet and especially on Facebook and similar sites where it spread even faster. I do not have any “clever” solution of course, but I think that users should be especially careful with their personal information that they post on the Facebook and other SNSs. As for the minors and theirs lying about age so that they can create a Facebook account … it’s not just this likejacking that is problematic, it’s everything …
OdgovoriIzbriši