Archive for May 2010

Can I get clickjacked on Facebook?

May 31, 2010

There has been some recent discussion and confusion about whether it is possible to get clickjacked while on a Facebook page. A lot of this comes from a misunderstanding of Facebook’s individual functions and which pages/applications are actually on Fb.

Some rumors state that you can get a worm by “liking” a group with a clickjacked link.

Although I can’t say that this is completely impossible, it does seem a little unlikely to me. Facebook has been hit with at least four clickjacking attacks this month, but I’m not aware of any that have actually occurred with a group’s “like” button. more often than not, the clickjacks come from links that lead users away from Facebook. The problem seems to be that a lot of people don’t know where Facebook stops and where it ends.

This isn’t to say that everything on Fb is safe. That’s certainly not true. Social networking is an easy way for hackers to spread viruses and clickjack attacks, so they’ve used their resources to develop new methods that take advantages of even the smallest security threats on web sites like Facebook and Myspace.

By and large, though, Fb has been very responsive to links that send members to clickjacked pages.

Facebook also uses framebusting techniques that should make it very difficult for someone to clickjack one of the company’s own pages. Again, it’s not necessarily impossible. But I do think that it’s pretty unlikely despite some reports that have been going around IT security sites today.

New Facebook Clickjacking Worm

May 31, 2010

A lot of times clickjacking relies on social engineering techniques. Social engineering basically means tricking someone into giving up information or taking an action.

Facebook has recently been hit with a pervasive clickjacking worm that uses social engineering to tempt users into clicking on the malicious link.

Some sources have reported that thousands of people have been infected with the Fb worm. One of the reasons that so many have been effected is that the worm uses a variety of social engineering tricks to convince Facebook members into following a link.

For instance, curious men were tempted with statements like "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" Other posts included statements such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE;" "The Prom Dress That Got This Girl Suspended From School;" and "This man takes a picture of himself EVERYDAY for 8 YEARS!!"

If you followed the link, then you found a page that says “Click here to continue.” Savvy users probably decided that they had gone far enough. Those with less internet security experience, however, often click the page, which unleashed a worm.

Given that it was the holiday weekend, the clickjack could have also caused problem for lots of people who are usually careful about what they do online, but were simply too intoxicated to follow their usual inhibitions.

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" Other posts included statements such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE;" "The Prom Dress That Got This Girl Suspended From School;" and "This man takes a picture of himself EVERYDAY for 8 YEARS!!"

Learn to clickjack

May 30, 2010

I don’t advocate clickjacking. It’s a malicious hack that has caused lots of problems for individuals and organization. As far as I’m concerned, if you can’t find an honest way to make money with the internet, then there’s something very, very wrong with you. With all of the market affiliate opportunities available online, it’s just dumb for crooks to concentrate on clickjacking.

And yet they do. So while I don’t advocate clickjacking, I do advocate education.

One of the best ways for you to learn how to avoid clickjacking attacks is to learn how they work.

Clickjacking hasn’t been around for very long, especially not when compared to viruses, which have been around for nearly as long as someone figured out how to make two computers communicate with each other. Most of the standard techniques, however, are pretty easy to learn. Web browsers and sites have a problem avoiding clickjacks because of the way that the entire ineternet is designed. It’s not like the clickjackers are just so good that no one understands their methods.

If you’re pretty computer savvy, then you can learn about basic clickjacking techniques at this Packet Storm Security page.

If you’ve ever worked with Javascript, then this information will be easy for you to follow. A lot of people could even fake their ways through this without formal training in any computer language. It’s not tough. It’s just hard to beat.

Facebook clickjacking worm

May 26, 2010

Internet security specialists have identified a new clickjacking attack that targets Facebook users. Luckily, the attack does not seem to cause any harm to the user or her computer.

The current threat is being spread through a page that looks like it contains an error page. Unknown to the user, though, an invisible frame installs a worm whenever the page is clicked. Unlike some clickjacking attacks, it seems that clicking anywhere on the page will execute the attack because the hidden button follows the cursor. In most previous attacks, invisible buttons have been hidden in specific locations, thereby making it important for the page to control user activity and encourage them to click on the right spots.

Facebook and other social networking sites make it easy for clickjackers to spread their attacks. This current attack causes the user’s Facebook account to post the following message : Try not to laugh xD http://www.fbhole. com/omg/allow.php?s=a &r=[random number]’.

When this message is posted to the user’s wall, all members who are connected to that person are encouraged to follow the link. The link, however, does not lead to a funny video as suggested by the post. Instead it leads to an error message with a hidden clickjack button.

So far this worm does not seem to have any negative effects. It simply replicates itself by posting the message on the infected person’s Facebook wall.

Other clickjacking attacks, however, have been known to steal private information and install dangerous viruses.

Clickjacking without the click

May 25, 2010

Demonstrations debuted at this year’s Black Hat Europe conference in Barcelona, Spain have revealed that clickjacking techniques don’t necessarily have to rely on mouse clicks to trick victims into participating in unknown activities. Instead, new clickjacking attacks focus on Java’s drag and drop capabilities. This allows clickjack attackers to steal information from text forms.

Even though these new clickjacking techniques don’t rely on mouse clicks, they still use invisible iFrames to trick internet users. In these instances, however, the invisible frames are placed on top of blank text forms. When a user fills out the form, they are contributing information unknowingly in another frame that they cannot see.

Drag and drop functions even make it possible for clickjacking attacks to steal information from entire sessions, not just individual forms. This presents a serious information security threat to both individuals and organizations who have private passwords, account numbers, and other bits of information that could help criminals commit theft or fraud.

Most recently updated web browsers can prevent invisible frames, but they rely on the website’s X-FRAME-OPTIONS: DENY tag. Websites that don’t include this tag, therefore, don’t offer protection from next generation clickjacking attacks.

Large sites like Facebook and Myspace have committed themselves to included frame busting tags and other security techniques to protect users. The mobile versions of these sites, however, do not usually offer as much protection as the Web versions, so users should be careful when using mobile devices to access their accounts.

You can read a summary of Paul Stone’s Next Generation Clickjacking demo at blackhat.com.

Hack got hacked

May 24, 2010

Plenty of internet security specialists are interested in the logic and mechanics behind security. It’s not always so much about protecting users as it is about finding an honest way to make money by playing around with complicated software. If they didn’t have jobs as security experts, then they would probably be making viruses and clickjacking techniques that allow them to take control of other computers. More often than not, it’s about the puzzle.

Here’s a blog that’s a good example of someone using their brain to figure out a clickhack just because they want a better understanding of how it works: Malicious camera spying using Clickjack. At least, that’s my interpretation of the article.

In this blog post, someone with a very good mind for security takes apart Adobe Flash Player to figure out how it could be used to spy on unsuspecting computer users.

Once upon a time there was a demo for this clickjacking techniques. It isn’t available anymore, but you can watch this YouTube video to see how the demo worked. I’ve embedded the video below.  This is a bare-bones  version of the attack that probably wouldn’t lure in many victims. Consider how much more effective it would be, though, if the clickjack game used fun icons instead of a button that says “click.” I immediately think of an online whack-a-mole game.

As someone who is interested in internet and computer security, I really like that the author takes the time to explain his initial approach to the clickjacking attack, how it didn’t work, and how he reworked the solution. If you’re not a tech nerd, then don’t bother. If you are, though, then it’s an interest piece that you should read.

Don’t believe the hype

May 21, 2010

While browsing forums I often encounter statements from people spreading false information, often unintentionally, about clickjacking and other computer security issues. Here is a forum post that I ran into the other day:

I became aware of another internet security problem, today. It is called “clickjacking” and I don’t really understand what it is, but security experts are using the term “very scary” to describe it. Clickjacking is considered to be a “zero day” defect, which I think means it is already out in the wild doing damage at the time the security researchers discover it.

Fortunately, I also discovered a way to protect 100% against this threat. It is to use the Firefox browser with the Noscript extension installed and an option selected in the Noscript add-on called “Plugins|Forbid <IFRAME>”. The Noscript extension has been highly recommended for several years, but today was my initial installation of it.

Since I am upfront in saying I have little understanding of any of this mess, I don’t expect anyone to take my word on it. But I do strongly recommend doing your own research on it and I think you may take the same defensive actions as I have. Search on terms such as “clickjack” and “noscript”.

The person who wrote this is correct in some ways, but painfully wrong in others.

Yes, clickjacking attacks are currently out there in the wild. The proofs of concept that you find online are just a tiny tip of  a big iceberg. An iceberg that’s heading right towards your fragile boat. The truth is that there are countless sites that intentionally try to trick users into clicking on false links. Even some popular sites have pages where clickjacking could cause serious problems.

The poster, however, is dead wrong when he states that he’s “discovered a way to protect 100% against this threat.” How do I know? Mostly because he admits that he doesn’t know much about the issue. And also because even security specialists haven’t been able to create a foolproof protection. Even the Firefox/NoScript combo, which I use, offers complete protection. Security specialists continue to find new ways to get around Java blocking frame-busting techniques.

I’m not pointing out the writer’s mistake to be mean. He’s not a security specialist, so he probably doesn’t even know how little he knows about the subject. It is important, though, to point out these fallacies. If you believe that you’re protected, then you’ll act like you’re protected. This delusion won’t do you any favors in the long run. The next clickjack attack could be on the next page. I think that you should be prepared for that possibility.