This is part one of a two-part post on how Web site clickjacking attacks work, and how to prevent them.
The success of Facebook clickjacking is due in large part to the social nature of the Web site. Users of Facebook are MUCH more likely to click on a particular link if (s)he believes that the link was posted by a friend. Unfortunately, attackers also understand this dynamic and as a result, they are using Facebook as a new vector to deliver attacks.
What is Clickjacking?
Clickjacking (aka user interface (UI) redressing) is an attack where an attacker has injected malicious content onto compromised page (Web site A) to trick the user into clicking on a link or button from another domain (Web site B). Typically the attack is set up by the creation of an invisible or disguised iFrame on Web site A that points to a UI button on Web site B. The button could be used to launch a forged cross site request, to download malware, or for any other malicious activity.
How does this Apply to Facebook?
In the recent Facebook Clickjacking attacks, an attacker sets off a variant of a Facebook worm that sends users to a clickjacked Web page that exploits Facebook’s “Like” infrastructure. This is accomplished through a series of well-designed steps:
1. Find the Victims.
The attacker likely created a spam email, banner ad or some other type of bait to trick people into clicking the malware. The bait could be a spoofed link to pornography, free products, celebrity gossip, or any other enticements. For our example, let’s assume the bait is an email with a link that says “Check this New Video of a Dancing Bear!”
2. Clickjack the Victims’ Facebook Accounts.
3. Spread to the Victims’ Social Networks.
Because most users are permanently logged into Facebook, if the user clicks anywhere on the clickjacked page, a link is published on the Victim’s Profile with the same link used to lure the original victim of the attack:
“Check this New Video of a Dancing Bear!”
This appears on all of the user’s contacts’ Facebook News Feed. If any of the victim’s friends on Facebook clicks the link, they are also sent to the clickjacked page. If the new victim clicks anywhere on the page, a “Like” link would be added to their Facebook profile, starting the cycle again.