Archive for July 2010

What Problems Could Likejack Attacks Potentially Cause

July 13, 2010

Even though likejacking (a type of clickjack attack that uses Facebook’s “like” option to spread malware) has become a popular topic, many people are still using Fb as if the problem doesn’t actually exist. To some extent, it’s kind of hard to blame them. After all, I’ll be the first, but hardly the only, person to tell you that it’s really difficult to create a browser plug in that will detect and prevent every single clickjack.

Those who are leaving it up to fate also point out that likejacks haven’t really caused too many problems. More so than anything, they’ve just been annoying wall posts that tick you off. That’s hardly worse than a prank than some 12-year-old kid down the street might pull on. It’s similar to posting an offensive sign in your yard. Yeah, it pisses you off, but you’re not going to call the cops about it.

I understand this position, but I think that it’s very dangerous. I want to point out that likejack attacks haven’t caused any significant problems SO FAR. That does not in any way, though, mean that they will continue in this way. It would be so easy for someone to alter these attacks for nefarious purposes. They could infect your computer with keylogging software that steals your passwords; viruses that gather personal information that hackers can use to steal your identity; and a host of other invasive software that will, at the very least, slow down your computer and eat up your broadband connection.

The fact is that these attacks could become very serious. I don’t want to sound like I’m constantly screaming the same thing over and over, but we’ve gotten lucky so far. And that luck can’t hold out forever. Give it time and a likejack will cause serious problems. Maybe that’s what it will take for Facebook to get serious about finding a solution.


Facebook Members Respond to Likejacking

July 13, 2010

Every Facebook user should be on the lookout for likejack attacks. What kind of affect does that have on members’ perception of the social network giant’s security measures? Not surprisingly, they’re not too happy. In fact, according to an online poll conducted by Sophos, 95 percent of Facebook’s users think that Facebook isn’t doing enough to protect them from clickjack worms.

So far, there haven’t been any serious effects from the likejacks. Mostly just a lot of annoying messages spread through Fb walls.

Likejacking is potentially a serious problem, but let’s not get too serious about the Sophos poll. Realistically, 95 percent of Facebook users don’t even know about likejacking, despite news being all over the place. The truth is that its a lot easier to spread likejacks than it is to educate people about how they work. The Sophos poll, after all, only got responses from 600 people. That’s a pretty small sample, especially when one considers that Facebook has more than 14 million members.

Chances are that the 600 people who responded to the poll are significantly more knowledgeable about internet security risks. Sophos has a Facebook page that provides updates about such risks. The people who responded to the poll were probably members of that group, which means they have more information than the average Fb user.

This isn’t to say, however, that Facebook users are fine with the current level of security. It’s just that the number of dissatisfied members is probably much lower than 95 percent.

Recognizing Likejacks

July 12, 2010

Likejacking has gotten a lot of attention lately. Not only from internet security blogs like this one, but also from major news outlets. When it comes to likejacked links on Facebook, there are plenty of things to worry about. These links could harbor malicious codes that will install keyloggers, adware, viruses, and other types of malware. The worst case scenario is that a hacker will get the information needed to steal your information and run up huge debts in your name. That could take you years and thousands of dollars to correct. Most of the recent likejack cases, however, don’t have such extreme effects. They’re annoying, but that’s about it. Of course, you never know what a likejacked link is going to do, so potentially every single one is the most dangerous on the internet.

So, how do you protect yourself from likejack attacks. There are some plug ins like No Script that can help you identify clickjacked links, but currently the best way is simply to pay attention to what you’re doing online. You’ll notice that when your mouse cursor hovers above a Facebook link (or any link for that matter), the target URL pops up at the bottom of your browser. This tells you where the link goes. If the link is directed at a web page that begins with “,” then you can be almost 100 percent certain that it is safe. If the link goes elsewhere and takes you away from Facebook, then you could be heading into a trap. Pay close attention and only make sure that you follow links that you know are safe. Otherwise, you could accidentally infect your computer with malicious software.

Plus, likejacks spread quickly throughout social networks, so you could be encouraging your  friends to fall for the same trick.

Likejack Blame Starts to Fall on Facebook

July 8, 2010

Clickjacking has been a problem for a few years now. No one has been able to create a foolproof way to prevent the attacks from happening, but there has been some progress that makes clickjacking techniques harder to implement. Stopping clickjack attacks would be a lot easier if there was an overarching structure to the internet that allowed someone to set security standards.

That’s not to suggest that some agency should take over the whole internet. (An impossibility. The best someone could do is hold access hostage.)

Social networking sites, however, do have the ability to control what occurs on their pages. That’s one of the reasons that Facebook is starting to take a serious amount of heat for the persistent likejacking problem that makes it easy for hackers to spread viruses to millions of people.

Likejacking first drew attention in May. For a while, everyone gave Facebook some leeway to figure out a good solution to the problem. Two months later, though, Facebook hasn’t made any real strides towards finding a real solution. Sure, they’ve identified a couple of problematic links, shut them down, and claim some minor victories, but those accomplishments are like sopping up a puddle and saying that the flood has been beaten.

I’m usually the first person to defend popular websites. They attract a lot of hackers, so they necessarily have more problems with them. Even I, however, am starting to get sick of this game. How long should it take a company with resources like Facebook to figure out a solution to this problem? Hey, Facebook Team, you want a suggestion? Include an authorization that alerts Facebook members of every “like.” All it has to do is pop up and say, “do you want to like this?” This would add another layer of security, making it much more difficult for hackers to use clickjack attacks.

Facebook could also monitor the number of rejected likes. That way the security team could spot potential likejack attacks by the large number of rejections.

Sure, that would be slightly inconvenient for some Facebook members, but it would provide an overall benefit that makes the service better. It’s a worthwhile trade. If nothing else, it buys you more time to create a real security measure that prevents likejacks from occurring at all.

Free Subway Likejack Scam

July 6, 2010

Avoid Facebook posts that promise a free gift card to Subway (the sandwich restaurant). The fake promotion says that you will get a free gift card for “liking” the link. In actuality, the link is clickjacked and you’ll only get a virus.

The Better Business Bureau has confirmed that Subway is not running this promotion. That combined with reports of viruses shortly after following the link is enough proof to call shenanigans on the whole thing.

By and large, gift card promotions on Fb are scams. Some times they use likejacked links. Some times they just try to amass large numbers of followers so that they can send out a steady stream of spam posts. In this instance, the former seems to be the most likely situation.

That isn’t to say, however, that every gift card promotion is fake. I would estimate that at least 4 out of 5 are BS.

So, how are you supposed to tell the difference between legit promotions and likejack scams? It isn’t that simple. Blogs like this one help out a lot. There are plenty of online resources that provide information about subjects such as clickjacked websites and Facebook scams. Find one that gets updated frequently with good information.

You can always search the internet for stories about giveaway scams.

Clickjacking Landmines

July 6, 2010

With increasing concern about clickjacking, lots of people have asked how they can spot websites that use clickjacking techniques to sucker them into downloading viruses, worms, and other malware.

I’ve explained in previous posts that some of the best security measures include No Script, Windows patches, and the latest versions of web browsers. I’ve also explained, though, that these tactics are by no means foolproof. In fact, relying on them too heavily can set you up to become a victim.

If you’re worried about clickjacking scams, then you have to understand that you can’t spot every single jacked link. I’m sorry to burst your bubble if you’re looking for a fail safe. At the moment, there isn’t one. You can, however, take a greater role in protecting yourself by paying attention to what types of websites you visit.

Here’s a simple rule to live by: shady sites do shady things. Avoid them.

For instance, if you’re downloading torrents from sites like The Pirate Bay, then you are probably going to get clickjacked. The people who run that site aren’t concerned about ethical computer usage. They don’t give a damn about movie companies, musicians, programmers, or you.

Also, avoid free porn sites like Red Tube and YouPorn. (I’m not hyperlinking these pages because you shouldn’t be going there in the first place.) I’m not  saying that all websites with so-called adult material are unscrupulous. In fact, some of the most prosperous and forward-thinking internet companies focus on providing adult content to adult subscribers. Free tube sites, however, are usually distributing content without the owner’s permission.

Again, they don’t care about following the laws. And they don’t care about you. As long as they make a profit, they will do anything. It’s capitalism gone stupidly wild without any regulations.

I don’t even think that it’s up to the government to regulate these practices. The great thing about the internet is how unregulated it is. What we need is a savvy population of computer users who understand what they have to use when they visit websites that are willing to rip off other people.

BBB Warns of Clickjacking Attacks on Facebook

July 2, 2010

You know that clickjacking has become a serious problem when the squares at the Better Business Bureau start talking about it. What the BBB has actually warned against is likejacking, a specific type of clickjack attack that takes advantage of the “like” button on Fb. It’s similar to other types of clickjack attacks, except it spreads to Fb members by posting a “like” statement on the user’s wall.

The likejack attack that the BBB has referenced uses a story about Justin Bieber as bait. When people click on the link, though, they are sent to a site with a clickjacked object. When clicked, this object unleashes a script without the user’s even knowing it. The likejacked links usually include a sensation promise about celebrities, naked women, or gossip. Basically the lowest common denominators that just about every one is tempted to follow.

So far the likejack attacks have really been all that bad. They post annoying likes on your wall, but so far they it doesn’t seem that anyone has used them to steal private information. If you stay logged on to Facebook throughout the day, though, there is always a chance that these attacks could steal sensitive info such as bank account numbers and passwords.