Archive for February 2011

Free Southwest Plane Tickets

February 25, 2011

Fraudsters have promised free airline tickets before by creating fake advertisements for companies like JetBlue and Delta. Most of these have been standard clickjacking scams that spread via a person’s facebook wall. The trick is fairly simple for hackers with minimal amounts of training. They create a fake ad for free airplane tickets. Suspended above the ad, however, is an invisible link that instructs facebook to post a message to that person’s wall. This is the fastest way for hackers to spread their message to millions of people.

The latest clickjacking scheme, this one for Southwest Airlines, however, takes a slightly different approach that has tricked savvy facebook users who thought they knew how to avoid fraudulent ads.

Instead of making clickjacked ads that post a message to a person’s wall, this clickjacking scheme posts messages in other locations. By posting the message as, for instance, a picture comment, hackers find that more facebook users are tricked into following the link.

Why? Well, any new scheme is certain to trick a few people just because it hasn’t been encountered before. There’s also a psychological factor involved.

When a clickjacked link is posted under a picture, most people think that it is a comment directly from someone they know. That was once the case when it came to wall posts too, but now facebook users are wary of posts that seem out of character. This tactic takes clickjacking to a new level of personal communication.

Of course, there is a big problem: clickjacked links posted as picture comments often seem out of context. That’s a good way to spot them. We’ve always been taught to question deals that seem too good to be true. Now it’s time to consider whether the offers sound too weird to be true.


Microsoft Accuses Google of Clickjacking Attacks

February 22, 2011

We tend to think of clickjacking as something conducted by the shadiest of criminals. I always imagine them with thin mustaches, nicotine-stained fingertips, greasy hair, and accents that place them in some ambiguous former-Soviet nation.

Microsoft has a different idea of what a clickjacker looks like. To them, the worst clickjackers wear casual attire to well paying jobs in the San Francisco Bay Area. They drive electric cars and enjoy free on-job massages. They, in other words, work for Google.

Microsoft made this accusation after Google claimed the company had stolen their search results. Last summer, some of Google’s developers noticed that Microsoft search engine Bing was showing fake search results that Google had added to their own results. According to Google, this proved that Microsoft was stealing their search results.

Microsoft, of course, denied the accusation, saying that they had some of the world’s best minds working for their company, so they hardly needed to steal search results from Google. That’s a good point, but it’s also like saying, “hey, I’m already super-rich, why would I cheat on my taxes?”

The accusation has heated up over the past week, leading to Microsoft’s claiming that Google used clickjacking strategies to gather evidence. This not only shows that Google is capable of using questionable techniques, but also that the evidence means very little. If clickjacking was used, then the results could be skewed in Google’s favor to make it look like Microsoft had stolen information when nothing of the sort had actually taken place.

So far, there hasn’t been any court action. It seems that both companies would rather avoid the legal system this time around. Instead, they’ve chosen to fight it out in the public arena. That in itself is a question decision that will probably only lead to more accusations.

Potential Stroke Victim Gets Clickjacked on Facebook

February 16, 2011

Serene Branson, an on-air personality for CBS 2 in LA, might have had a stroke on live TV during last weekend’s Grammy Awards. Millions of viewers have since watched the video of her breakdown, which included slurred speech and utter gibberish.

What happened next could only be possible in the modern world: her video went viral on Internet sites such as YouTube and Facebook.

After the video went viral and received millions of hits, some hacker recognized it as an opportunity to make some money. The hacker used the video to spread a clickjacking attack throughout Facebook.

The attack works just like numerous other clicjkacks that have been spread through Facebook. It starts off innocently enough: curious Facebook members see a post about the video, so they follow the link. It’s basic human curiosity that urges us to watch someone having a meltdown of sorts on television. It seems so unbelievable that many of us cannot resist.

Once the Facebook member clicks the link, though, things start to get fishy. First, they are asked to take a short quiz before viewing the video. That should send up a big flag that something is amiss. Surveys of this sort are frequently used by hackers. They submit the results to survey businesses for payment. It’s basically the driving force behind this and similar clickjacking attacks.

After completing the online survey, Facebook users are told that they need to allow an app to view the video. That’s another flag that should convince users to take pause. And with good reason, the button that allows the app has been clickjacked to spread the link to other Facebook members by posting it on the person’s wall. That’s how these scams spread so quickly.

Can Prevent Clickjacking?

February 14, 2011

We all know that there are potential dangers associated with using social networking sites. The dangers are even greater when children get online. If you think that adults are bad at recognizing online scams from legitimate information, then you’d be amazed to see how trusting children can be when confronted with bogus links.

Two of the biggest concerns are keylogging and clickjacking attacks. Keylogging is problematic because it gives hackers access to anything that you have typed. In other words, they can steal passwords to your bank, email, and credit card accounts, creating huge problems. Clickjacking poses a significant problem because it is difficult to recognize. It uses invisible frames to “trick” users into following scam links. claims that it can help parents protect themselves and their children from these threats with two pieces of software. According to them, no single piece of software can handle both problems.

That’s hogwash. might claim to protect users, but it doesn’t offer any concrete information about how it can accomplish this goal. Furthermore, stating that a person needs two independent pieces of software hardly makes any sense. Any designer could, after, simply compile the two programs. Voila, not you’ve solved clickjacking and keylogging problems with one piece of software.

The bigger concern, however, is that I doubt’s security programs can even accomplish these goals with two pieces of software. Clickjacking in particularly is difficult to stop. So far, no one has been able to create a foolproof way to prevent it. There are reliable ways to reduce a person’s vulnerability, but you can always be exposed to a new version of the attack. might claim to have the solution, but I need to see some real proof before I believe them. If Microsoft and Apple haven’t been able to solve these problems, then I very much doubt that has the answer.

The Quiet Attack

February 4, 2011

One of the most troubling things about clickjacking attacks isn’t that they can activate your computer’s video camera, or that they can trick you into buying items that you don’t want, or even that they spread themselves by posting unauthorized updates to your facebook wall. The biggest concern is that clickjacking can do all of these things without setting off any alarms. It is a quiet sort of attack that you might never notice.

When that happens, individuals can become repeat victims without realizing. A person who doesn’t know he or she is being victimized will never do anything about the problem. They don’t even know that a problem exists.

What can you do, then, to protect yourself from clickjacking attacks. After all, you might figure, anything that can bypass your antivirus software is probably going to fool you every time.

Not necessarily.

Antivirus software focuses on detecting problems within programs. If someone were to hide a virus in, for instance, a screen saver, then your antivirus software would probably find it. Clickjacking, however, occurs within  a web browser. It doesn’t usually involve programs that infiltrate your computer.

That means you can potentially spot problems that your antivirus software doesn’t even look for.

Pay closer attention to your  facebook wall, or Myspace profile, and look for posts that you did not authorize. Also, look for applications that you did not ask for. If you find them, then delete them from your profile.

Checking your credit card and PayPal accounts will also help you stop clickjacking attacks shortly after they occur. If you notice unauthorized charges, then contact your bank, or PayPal, to report the problem. That way you can stop payment before the hackers receive any money from you.