symantec logo Symantec Releases Online Advisory On Facebook Click Jacking

Facebook may be a great tool to keep up with friends and network with other like-minded people around the world, but even such tools can turn into cybersecurity nightmares when server-side flaws are found and exploited upon. In light of the recent scam campaigns launched against innocent users, Symantec has released an advisory on how users can keep themselves safe from such attacks.

symantec logo Symantec Releases Online Advisory On Facebook Click Jacking

In the eyes of cybercriminals, Facebook has become an attractive “fishing pool” with an ever increasing base of potential victims that could easily fall for much of the scattered bait. So, it comes as no surprise that we see new scam campaigns launched nearly every week.

An example of the latest in this spate of ongoing scams is in reference to a person that was apparently seeking to take revenge on his ex-girlfriend and took it just too far. The enticing message that has appeared on many profile pages is similar to the following:

“OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend”

scam1 Symantec Releases Online Advisory On Facebook Click Jacking

What it is:

This is what is known as a typical “click jacking” attack that Symantec has observed earlier in this year in June (http://www.symantec.com/connect/blogs/clickjack-baddie-whack). Unfortunately, this type of attack still works, as the increasing number of victims proves.

How it works:

In this particular case, the remote site hosted four more scams targeting Facebook, each with different themes. The iframe loads an Uncle Sam image from a free image-hosting site and then asks the user to click on some part of the image. However, what the user doesn’t see is that the attacker has also loaded a Facebook site, but has modified it to be invisible.

The hidden page that is loaded is the Facebook “Like button” page, which is conveniently placed under the mouse pointer of the user. Hence, when the user clicks on the colored bars of the image, he or she is actually clicking on the invisible ‘Like’ button and consequently shares the attacker’s link with all of his or her friends on Facebook. In other instances this same scam has been attempted with an invisible “Share” button.

scam2 Symantec Releases Online Advisory On Facebook Click Jacking
Once a user has “liked” the scam page, the attackers are free to send update messages to their unwitting admirer which unbeknownst to them enables the scam to spread like wildfire across the social network.

Symantec advises consumers to:

· Always be wary of enticing messages, even when they appear on friends’ profiles – when you are asked to install additional applications or fill out premium surveys just to see a video or picture, it is most likely a scam and it should be fully ignored

· Set privacy options at the highest levels – Use your site’s privacy features to limit personal posts to people you know and trust. Don’t add people to your trusted list unless you are sure of their identity.

· Maintain an up-to-date browser and operating system – updated versions with the most advanced security software, such as Norton Internet Security 2011 can be vital in simple prevention. Check out web safety services such as Norton Safe Web where a community of web users collaborates to report dangerous phishing and malware sites.

· Be cautious of what you click on: Exercise caution when clicking on links from unknown senders. Always maintain a level of awareness and caution around any messages from within a website or that appear to be sent by a website – check the URL. And when clicking over to Facebook (or any site) make a habit of looking at what appears in the address line.

· Stay informed regularly: For more information on cybercrime and how to protect yourself, visit www.everyclickmatters.com