Posted tagged ‘facebook’

Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share information  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on the  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.


How Many Facebook Videos Have Been Clickjacked?

September 10, 2011

If you’re on Facebook, then you have to know that  some of the videos you see posted on the walls of friends are clickjacked. Clickjacked videos typically have invisible frames hovering over them, either over the hole video or just over the play button. When you push play on the video, you may or may not actually get to watch it. What you actually do is unleash a tactic called UI redressing. More than likely, clickjacked videos just repost themselves on your wall without your permission.

That’s kind of scary, especially considering that some of the clickjacked videos can steal personal information from your computer that allows hackers to steal your identity.

What’s even more scary is that research now shows that 15 percent of videos on Facebook are clickjackers. That’s right. 15 percent. That means that for every ten videos you see, more than one of them has been clickjacked. Click on ten random videos and you’re going to get clickjacked at least once.

Let’s face it, Facebook hasn’t done much to stop this kind of behavior. They pretty much let anyone post anything without discretion (unless its porn, I guess. They have a thing against porn).

Yet again, that means you need to protect yourself by avoiding shady videos. If you see a video that doesn’t look like your friend actually posted it,then don’t click it. If your uncle who’s totally into football posts a video about lady gaga, then you can feel pretty certain that it’s a clickjack. There’s just something not right with it, so stay away.

Man in Wheelchair Falls to Death LOL

September 8, 2011

Fans of the Darwin Awards might find it entertaining to read about the dumbest possible ways that people die, but there’s a big difference between shaking your head at a written account of someone’s death and watching a video of it.

Recently, the moral fiber of Facebook users was tested by a post that reads

Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
[LINK deleted]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.

If you followed the link, then you found a fake Facebook page with what looked like an embedded video. Sorry, you’re not going to get to watch the gruesome video. In fact, such a video probably doesn’t even exist.

What you get, instead, is a clickjack. A lot of people have commented (and I kind of agree) that anyone who fell for this horrible scam got what they deserved.

If you use Firefox with the NoScript application, then you got a warning about the UI redressing attempt, as clickjacking is technically called. If you don’t use this security app, though, you were prompted to take an online survey. After taking the survey, you didn’t even get to watch the video. How lame is that?

Many clickjackeres use online surveys to earn money. By tricking people into visiting survey websites, they know that a small number will actually answer the questions. For each person that fills out the survey, the clickjackers earn a small amount of money that quickly adds up.


New Low: Clickjackers Capitalize on Death of British Pilot

August 23, 2011

Last weekend a British pilot died after his plane crashed during a Red Arrow display at the Bournemouth Air Festival. He had family and friends and people who loved him. As far as clickjackers were concerned, though, he mostly had earning potential.

Not long after the crash was reported, a Facebook message started circulating that promised to show video of the accident. Regardless of how compassionate most people are (thousands joined a Facebook group showing support for the pilot’s family), they also have a tendency to stare at car crashes and watch movies like Jackass, where people get hurt in supposedly hilarious ways. They just can’t not look at something spectacular, even when the event was tragic.

Clicking on the video link, however, doesn’t take you to a YouTube video. Clicking on the link does, however, share the message with all of your Facebook pals.

In the typical way, this clickjack gets spread quickly through the Internet. Even if only two people click on the message posted by your account, and then two people click on the messages posted by them, and so on, you quickly get thousands of people falling for the scam. The numbers increase exponentially, so they really get moving once you hit the triple digits.

It’s stunningly heartless for someone to use this tragic event to earn money. I’m sure that some people, however, think that the clickjack victims have gotten what they deserve. They should have followed the message in the first place. I think that’s a bit too harsh. Following the message might mean that you’re gullible, but it doesn’t mean that you are a bad person. At least not any worse than the thousands of other people who wanted to see the crash that they had heard so much about.

Getting Clickjacked by Lady Gaga

August 6, 2011

It doesn’t matter whether you love Lady Gaga or hate her, she certainly has an odd charisma that attracts people. That charisma has helped her sell millions of copies of her danceable songs. (Personally, I like the meaning behind her songs much more than I like the music, but I think I’m just a little too old to dig it. If she’d been around in the 80s, though, I probably would have loved her.)

As soon as someone exposes the public to that level of charisma, though, someone else will try to make money from it.

In 2011, that means someone is going to use your fame to clickjack a bunch of people on Facebook.

Over the past couple of days, a message has been spreading through Facebook that claims Lady Gaga was found bead in a hotel room. The message carries a video link that you supposedly click on to watch news footage about her death. As an awesome and disturbing side note, the video has a message that reads “This is the most awful day in the US history.” Forget the strange choice of words (“the US history”?). Who would actually believe that this is a legitimate news broadcast. Come on, it’s obviously not the most awful fay in US history… What about the day that John Lennon was killed!

Despite the ridiculous nature of the post, a lot of people have clicked on it. And they got clickjacked, of course. Oh, gullible people so unwilling to read the small print.

A Spider Under The Skin, or a Clickjack on Your Nerves?

August 1, 2011

Would you like to see video of a large spider living underneath someone’s skin. Personally, I’d pass. Still, I can understand that a lot of people would want to see that video. After all, look at how many people go to see horror movies and throw their necks out of whack as they stare at car accidents.

A morbid sense of curiosity, however, can lead to bad things when you’re on Facebook.

A recent clickjacking attack used the spider video as bait to convince Facebook users (I’m guessing mostly boys and young men) to follow a link. Unfortunately for them, they didn’t get to see a gnarly video. They just got clickjacked, which, in this case, means that the link instructed the Facebook account to post the message on the user’s wall so that her or (again, more than likely) his friends would see it and think “oh man, awesome, I totally want to see some of that nastiness!”

There were numerous messages floating around with this clickjacked link attached. Even a bilingual one in Spanish and English! Some of the examples include

Una Araña debajo de la piel. A spider under your skin!
Él dice que era una araña bajo la piel, ¿qué dices?.He says there was a spider under the skin what do you say?

Amazing! Spider is Growing Under Woman Skin
WARNING: Sh0ck1ng Footage!

Amazing how a spider can go under your skin This spider is brutal..
WTF – There is a spider inside the skin of this girl, extremely painful !

Here’s a new rule to live by — If it sounds too rad to be true, then it’s probably a clickjack.

Clickjacking on Twitter

June 30, 2011

Most clickjacking attacks currently take place on social media sites such as Facebook. Myspace isn’t really as popular these days (so much so that News Corp has dumped it, which means that I would actually consider using Myspace again). More and more, though, we’re finding that clickjackers are turning to Twitter to scam their victims.

Twitter has emerged as one of the most popular web-based services around. It’s a microblogging tool that allows users to send short messages to a lot of people at once. If you’re not already using it, then you can think of Twitter as telegram that goes out to hundreds of thousands of people (assuming that you’re popular enough to have that many followers).

This has lead to some big problems for Twitter users who don’t expect to find clickjacking links in these posts.

The added threat is that most people access Twitter through their mobile devices. Of course, these devices are becoming the central hub for a person’s private information, including phone numbers and credit card numbers. Clickjackers that use Twitter, therefore, could have the opportunity to steal sensitive information that allows them to steal identities and commit fraud.

What can you do to stop it? You don’t have to avoid Twitter. Start by disabling scripts in your browser. That will prevent some attacks. The best thing that you can do, though, is to remain vigilant and pay close attention to every link that you follow.If you have any doubts, then don’t click the link. It’s that simple. Telling the difference between a clickjack and an honest link, however, usually requires some experience.

What are some of the ways that you can spot clickjacks on Twitter?