Archive for August 2010

Bloggers beat clickjackers

August 30, 2010

Those of us concerned about internet security enough to write about it on a regular basis usually frame our stories as “hackers vs. internet security professionals.” It’s a good story, and one that obviously happens all the time. Hackers and security professionals are essentially two sides of the same tech-savvy coin. Hackers, in fact, have even been divided into two categories to describe where they stand. Black hat hackers promote viruses, clickjacks, malware, et cetera. White hat hackers dabble in these technological arts to stop malware from spreading.

Bloggers, however, might not be giving ourselves a large enough role in the story. We often think of ourselves as reporters standing on the side lines. We’re not part of the action, we’re just noting the plays.

What we do, though, can involve some level of activism in favor of improved internet security. When we write about the latest clickjack spreading through Facebook, we warn people to avoid the scam. This inevitably means that we are part of the action. Why pretend otherwise?

Here’s a good example of how bloggers combat hackers. Recently a website named “Busty Bartenders” was found to use a likejack attack that hid a Facebook like button underneath the main page. Clicking anywhere on the page unleashed a script telling Facebook that you “like” the page, thus sharing the page with your friends. Instantly viral, right?

Not necessarily. Once bloggers learned about this clickjack attack, they started posted information on their sites and Facebook pages warning people to avoid Busty Bartenders. This had a very real effect on the website. Within a few days, the clickjack was taken away. Now you can find an authentic like button there instead of one hidden out of sight in an iframe.

Sure, the score is still tilted in the hackers’ favor. Clickjacks are all over the internet. But bloggers should recognize that we have done some good. And we have the capacity to do even more by focusing on the latest clickjacking attacks and letting everyone know about them.

After all, if a clickjack can go viral, so can our warning. Although we might need to promise images of busty women serving up powerful beverages to really compete.


Future Tense interview about clickjacking

August 26, 2010

American Public Media’s Future Tense with John Moe recently interviewed interviewed internet security specialists about clickjacking on Facebook. Some of the information provided during that interview was, although not surprising, somewhat of a wake up call. Beth Jones of Sophos pointed out that many clickjack attacks not only ask individuals to take surveys to “prove they are human” but also request the user’s phone number. Those who provide their phone number have unknowingly given permission for their cell phones to be charged five dollars a month.

The legality of this final part, quite frankly, blows my mind. Certainly reputable cell phone providers have some responsibility when it comes to these scams. Quite frankly, I’d switch companies if my provider insisted that I pay the fee. Regardless, its obviously a headache for those who provide their digits and could end up costing the quite a bit of money, especially if they don’t pay close attention to the details listed on their cell phone bills.

Jones also said that Sophos sees dozens of clickjack attacks a day. I know that clickjacking is pervasive, but that seems like a high number to me. Sophos, however, is at the top of the internet security industry, so I believe Jones when she says this. If there truly are dozens of clickjacks making their way through websites like Facebook every day, then it is especially important for internet users to protect themselves and pay close attention to everything they do online.

Street View clickjack

August 24, 2010

Television shows like COPS have been getting high ratings for over a decade. Even now that you YouTube gives internet users easy access to videos of people committing crimes, we still tune in to watch it on TV. Sure, it might be 3am, but it’s there for a reason: humans can’t get enough of the stupid, insane stuff that other humans do.

That’s why one of the latest clickjacking attacks has been so successful.

The other reason for its success? It claims an attachment to Google, which, although it seems to be taking over the whole internet, has promised not to be evil.

This scam involves Google Street View. Under a huge Google logo it states that “These crooks thought that they were above the LAW and could get away with anything. Unfortunately for them, Google Streets caught them red handed and on FILM!”

Seriously, if you don’t want to click on that, then you’re just not interested in the rest of humanity.

The problem is that this Google Street View is a bunch of B.S. concocted by some clickjacker who knows how much people love to watch other people do outrageous things. We’re voyeurs by nature, and hackers tap into that weakness.

When you follow the Google Street link, it opens a Facebook application. Once installed, it spreads word to all of your friends, insuring that at least some of them will also fall for the lark. Perhaps the worst part? You end up visiting a survey web site instead of ever getting to see the crimes.

If you’ve already fallen victim to this clickjack attack, then make sure you return your Facebook page to its untainted version. Remove the app, pull down the wall post, and alert your friends.

Clickjacking: the next frontier

August 22, 2010

Wherever Facebook goes, clickjacking will follow.

Last May, internet security specialists discovered that hackers had developed a revised clickjack called likejacking. Likejacking uses Facebook’s “like” button to spread viruses to unsuspecting Fb members. Since liking a link means sharing that link with friends via a wall post, likejacked links could spread quickly.

Facebook recently released a share feature that works much like the like button, except it doesn’t imply actually liking the link. Still, it posts the link, video, or what-have-you to your wall, where friends can view it. Depending on how many friends a Facebook member has, shared objects could go out to hundreds or even thousands of people.

There was significant potential for abuse. Hackers, of course, spotted that potential and created what is now being referred to as a sharejack.

Sophos, an internet security firm, quickly noticed the abuse and published a report about Facebook profiles using the sharejack. Facebook responded even faster by pulling the pages from  their website. Still, there is a persistent threat of misuse.

How can you avoid this scam? Like most clickjacks, sharejacking has something a bit off about it. Sharejacked profiles often make you go through a series of “human identification” tests that are supposed to ensure that you are a human instead of a computer. That’s a solid tip off that something is amiss since other pages don’t require these steps.

Pay attention to what you do on Facebook and other social networking sites, and avoid anything that seems remotely fishy.

Adobe security updates to prevent clickjack attacks

August 17, 2010

Adobe announced last week that it would release six critical security updates for Flash. Five of the updates are designed to prevent memory corruption. The sixth targets vulnerabilities that could make clickjacks possible. This week, the company plans to release more patches that will improve security for Reader and Acrobat.

Hackers have long focused on Adobe’s Flash software to create clickjacks that can cause computers to run operations without their user’s knowledge. Many of the clickjacks have hidden links embedded on top of images and links that appear benign. When the link is clicked, however, the user has actually clicked on the invisible frame, thus giving permission for an unknown application to start running.

This has allowed clickjackers to perform a variety of tasks. Some have even created clickjack scripts that take over web cams. This allows the hacker to film people using their computers, a spooky prospect that has led many people to keep their cameras unplugged or covered except when in use.

Some clickjacks also release viruses, trogans, and other types of malware. Once your computer is infected, the viruses can steal information or turn the computer into a slave bot that performs operations for the hacker. This slows down you internet connection and can even implicate you in illegal actions.

It is important to keep Adobe programs up to date to help protect your computer form clickjack attacks. It is a continuous process, so you will have to continue updating the software. Chances are that within a few months, a savvy hacker will find a way to counter the latest patches. Adobe will then retaliate with a new patch that addresses the most current issue.

The dislike scam

August 17, 2010

Recently a company called FaceMod created an application that allows Facebook users to add a “dislike” button to their pages. This has been something that Facebook members have talked about for years. The new application gives them the ability to tell their friends about things that they don’t like. The option to give a bug thumbs down also makes it possible for members to communicate their feelings easily. Instead of simply “liking” a comment, now you can “dislike” it just as easily without having to write¬† a diatribe on a friend’s wall.

By and large, the dislike button is a cool addition for those who want it. It also, however, provides a new opportunity for clickjackers and other online scammers to take advantage of unsuspecting Facebook members.

The like button has already caused numerous problems for Facebook. Clickjacked like buttons on third-party sites can install viruses. When this happens, members all too often blame Facebook for poor security measures, even though the action did not occur on the company’s site.

The dislike button will carry the same issue. As it becomes more common for web sites to allow viewers to dislike things via Facebook, we will inevitably see a larger number of clickjacked dislike buttons. There is an added threat here, though, that occurs simply because the dislike button is so new. As more Facebook users learn about the dislike button, they will go in search of an app that will let them modify their Facebook pages. The problem is that some hackers have created fake applications that either install trojans or direct users to lengthy surveys that ask for salable information.

You can avoid these risks by downloading the dislike add-on directly from Firefox’s add-on page. That way you will know for sure that you got the official version.