“I can’t believe a GIRL did this just because of Justin Bieber.” If you ever see a post like this on your Facebook page enticing you to click on a video – stay away from it, Internet security experts warn.
It’s part of a massive “likejacking” scam that’s infected more than 20,000 users of the popular social networking site in just a few days after, according to M86 Security Labs of Orange Country, Calif. The link to a phony YouTube page that purports to contain the video shows more than 1.8 million hits.
Likejacking refers to a type of “clickjack” that manipulates a computer user to unknowingly “like” a Web site via Facebook. By tricking users into a liking a page or site, a post is published on the user’s Facebook wall.
Spammers are riding on the popularity of Canadian-born pop star Justin Bieber to get Facebook users to click on a hidden link that will result in the user’s account automatically “liking” the page, said Ed Rowley, product manager for M86.
He said the spammers are banking that the victim’s friends will find the post and ‘like’ it as well. “This is all in line with a spam campaign where the more people click on online sites the more money the spammers earn through affiliate bonuses from the sites involved,” said Rowley.
He said likejacking surfaced late last year and the Justin Bieber campaign appears to be its latest iteration.
M86 has been tracking the spam campaign and so far the strategy has not yet been used to load malware onto user’s machines. “When this happens it could also be potentially dangerous for businesses that allow employees to use social networking sites like Facebook,” said Rowley.
How the scam goes down
The Justin Bieber scam leads users to a fake YouTube page (FouTube) which was generated specifically for the campaign, according to Satnam Narang, M86 threat analyst.
Sample of fake YouTube Page.
“A hidden iframe overlas the FouTube player, so that if a user attempts to click on any part of it, the likejacking occurs resulting in the ‘liking’ of this page and helping the scam campaign spread,” said Narang in a blog.
The users are then presented with a dialogue box that looks like an average Facebook dialogue box. This time the box asks the use to very his or her age in order to view the content.
Scams of this type, Narang said, typically lead users to some form of survey scam. “This tactic pays – literally, by convincing users to visit one of these sites to complete a survey and earn an affiliate bonus for the scammer,” Narang said.
The Justin Bieber campaign, Narang said, has so far been spreading through Facebook users status updates as well.
How to avoid becoming a victim
Rowley of M86 said Facebook users can protect themselves against this scam by following some of the oldest anti-spam advice in the book. “If you’re not sure about the origins of a link, don’t click on it.”
Tell-tale signs of a spam or scam are headings or titles that have “outlandish of exaggerated claims,” he said.
“If it’s too sensational or if the messages seems to be coming from a friend but somehow sounds out of character, don’t touch it until you have verified the message with your friend,” said Rowley.
Rowley also advised that computer users should make sure that they are up to date with software and browser patches. “Many times scammers exploit vulnerabilities that have been previously patched by software makers like Microsoft or browsers and search engines like Mozilla or Google. The exploit gets some machines because users have not implemented the patch.
Rowley also said users can prevent likejacking and clickjacking by running a NoScript browser extension from Mozilla Firefox.
NoScript is a free extension which shows a warning dialogue box on the users’ computer screen when it detects a potential clickjacking or likejacking event, Rowley said.
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and join the IT Business Facebook Page.
