Archive for June 2011

Clickjacking on Twitter

June 30, 2011

Most clickjacking attacks currently take place on social media sites such as Facebook. Myspace isn’t really as popular these days (so much so that News Corp has dumped it, which means that I would actually consider using Myspace again). More and more, though, we’re finding that clickjackers are turning to Twitter to scam their victims.

Twitter has emerged as one of the most popular web-based services around. It’s a microblogging tool that allows users to send short messages to a lot of people at once. If you’re not already using it, then you can think of Twitter as telegram that goes out to hundreds of thousands of people (assuming that you’re popular enough to have that many followers).

This has lead to some big problems for Twitter users who don’t expect to find clickjacking links in these posts.

The added threat is that most people access Twitter through their mobile devices. Of course, these devices are becoming the central hub for a person’s private information, including phone numbers and credit card numbers. Clickjackers that use Twitter, therefore, could have the opportunity to steal sensitive information that allows them to steal identities and commit fraud.

What can you do to stop it? You don’t have to avoid Twitter. Start by disabling scripts in your browser. That will prevent some attacks. The best thing that you can do, though, is to remain vigilant and pay close attention to every link that you follow.If you have any doubts, then don’t click the link. It’s that simple. Telling the difference between a clickjack and an honest link, however, usually requires some experience.

What are some of the ways that you can spot clickjacks on Twitter?


Has Clickjack Protection Improved?

June 27, 2011

Clickjacking gets more press now than ever. The data is difficult to pin down precisely, but chances are that clickjacking is more prevalent now than it was a couple years ago. Does this mean that we should all be more worried about the threat of clickjacking?

Not necessarily.

Although hackers have made strides towards finding ways to trick their victims into following corrupted links, software developers have also been working hard on tools that can prevent the worst fears of those victims.

In 2008, ComputerWorld reported that Adobe was warning people that “‘Clickjackers’ could hijack webcams, microphones…” Today, those threats hardly exist at all. That’s because Adobe got serious about preventing clickjacks that were designed to hijack webcams and microphones. That doesn’t mean that the threat has been completely eliminated. In order to protect yourself from these threats, you need a version of Adobe that has been developed to resist these attacks. Protection also assumes that hackers haven’t found a way to bypass those security measures.

One thing that you can count on is that hackers will always fight security developments. It’s an ongoing process that might not ever end.

The bad news is that hackers have found more ways to spread their clickjacks. At first, Facebook was the ultimate way for them to reach thousands of people within a short time. Now, they often turn to Twitter as well as Facebook. This gives them more opportunities to advance their scams and find ways around security measures. The more opportunities there are, the harder it is to stop clickjacks.

While the threat has spread to a larger number of people, though, the substance of the threat has decreased thanks to security development that has focused on this kind of attack.

Photoshop This

June 20, 2011

Photoshop has been the go-to tool for photographers and graphic designers for well over a decade. For the first time, though, it has been used to sucker people into spamming their friends.

It actually has little to do with Photoshop. It’s a new clickjacking scam that uses Photoshop’s popularity to convince victims to follow a link. The clickjacked Facebook post states “hey, I just made a Photoshop of you, check it out:” and then it provides a truncated link. When you click on the link, though, you don’t get a photo of yourself or anyone else that you know. Instead, you get a window that prompts you to download a Facebook app that requests access to Facebook Chat.

This is where things get bad for you and everyone you’re connected to on Facebook. If you allow the app to access Chat, then you’ve just unwittingly given it permission to spam your friends.

Perhaps to buy a little time, the clickjack directs your browser to an article called “45 Strange and Funny Photoshop Manipulations.” Don’t be surprised when you don’t find your face on any of those pictures.

If you’ve already fallen victim to this clickjack scam, then you’ll want to erase the app from your Facebook account, clear any posts from your wall, and tell your friends that you’re the sucker who sent them a bunch of spam.

You might also want to ask for forgiveness, because this is exactly the way that people get nailed with viruses and spam. Learn your lesson. Pay more attention in the future so that you don’t contribute to such tomfoolery.

USA Gets with the Times

June 17, 2011

If you pay much attention to USA Today, then you’ve recently read that “cybercriminals have begun spreading corrupted Facebook “Like” buttons inside the popular social network.” Begun? Hey, USA Today, get with the times.

When Facebook introduced the “like” button in 2009, clickjacking had already been around for some time. After clickjacking began to spread through Facebook, the term “likejacking” became popular. Still, that was two years ago. Where have you guys been?

The popular newspaper reports that Facebook has faced increasing scrutiny because of policies that favor businesses over the privacy of users. It also acknowledges that the like button has been a particular problem for privacy advocates because the button makes it easier for Facebook to track user activity on other sitesĀ  as well as its own.

The paper reports that “And now cyber scammers have figured out how to cause malicious Like buttons to turn up on Facebook users’ profile pages.” Now? When was this printed? June 17th, 2011. You have to be joking.

I’m all for spreading information about clickjacking (obviously. I mean, I run a site about it), but there is no reason to present information as if it is new just to make it sound like news.

If you want to write a recent news article, then try talking to Facebook about their upcoming strategies to stop likejacking. The quotes providing in the article are ambiguous and obvious. They don’t tell an informed person anything that he or she wouldn’t have known a year ago. I just wonder what the point is?

Hayley Williams Clickjack

June 11, 2011

Oh, Haywley Williams, your band Paramore is terrible. You’re basically the pop rock version of every sellout, over-produced country star. But I’ll give you this: you sure are a hottie.

Apparently, a lot of people agree with that latter statement. In late May, a picture of Williams topless was posted on Twitter (through her on account, I might add). It sure didn’t take long before the pic had spread to hundreds of websites eager to make a few pennies off of the young beauty.Quite frankly, I’m not totally convinced that it’s her. It could be any petite young women with funky hair. It’s still worth seeing, but I don’t have any faith in the pic’s validity.

Hayley with her shirt on

Those who posted the topless photo, however, missed out on the real money making opportunity: a good, old fashioned clickjack attack.

No sooner than the picture emerged, clickjackers had created Facebook messages promising to show the image. The most successful message leads visitors to a site that requires you to click “only if you’re 18 or older.” When you click that “18 or older” message, though, your Facebook account posts the message on your wall, spreading the link to all of your friends.

Paramore is a pretty popular band, so there are tons of people willing to follow the link. Which, of course, means that the clickjack has spread quickly.

If you’re interested in seeing Hayley Williams without her shirt on (hey, I don’t blame you), then search for the image via Google and don’t click on anything other than the Google result. The moment that you click anywhere on another page, you’re setting yourself up for a clickjack.

Should We Expect More Protection From Clickjacking?

June 5, 2011

Clickjacking is a problem. There’s no getting around that. If you use the Internet, then you are a potential victim. It’s really that simple.

So, should we expect more protection from clickjacking? Should we expect individual websites to find new security measures that will prevent clickjackers from spreading their scams (I’m looking right at you Facebook and Twitter)?

To some extent, I think that we can expect these companies to assume some responsibility. After all, these companies have made billions of dollars from their clients. They should invest some of that money into research and development that helps them keep the clients safe.

At the same time, we can’t expect Facebook, Twitter, or any other big website to protect us from every threat on the Internet. Many of the clickjacks that people get through Facebook actually come from outside sources. Could Facebook do a better job of warning people when they are leaving the site? Absolutely. Could they do a better job of educating users so that they know more about the threats of clickjacking? I’d say so.

But they aren’t responsible for what happens to you on

That means you have to accept some responsibility on your own.

If you can’t prevent clickjacks from happening, then you can at least stop malware from infiltrating your computer as a result of clickjacked links. Get some good security software for your computer, and don’t be afraid to spend a few bucks on the highest level of protection. It’s the money that encourages software companies to design stronger products. If you only rely on freeware, then you are going to get burned at some point.

That’s just a fact of participating in a virtual world.