Facebook is fighting off a new wave of clickjacking attacks, but its defensive tactics could merely lead to a prolonged cat-and-mouse game. Users clicking on certain links posted on the network aren’t actually taken to the promised page — instead, they’re unwittingly made to “like” the the link itself, thus encouraging others to click. The tactic could potentially open the door to dangerous malware.
Clicking on the link takes the Facebook to a page that often contains a button asking them to click it to confirm they’re over 18 years old. This isn’t uncommon for sites that carry salacious material, such as the supposed Williams photos.
When users click on that button, however, it adds a link to the users’ Facebook profiles saying they “like” the site. Facebook then publishes the “like” to the users’ friends, spreading the worm.
So where’s the threat? So far, the clickjackers haven’t apparently done anything more than force users to unwittingly endorse their websites, but they could easily launch password-stealing Trojans or other malware.
The clickjackers create an “iFrame,” which they layer invisibly over the Facebook site.
An iFrame is an inline frame that places one HTML document in the frame of another.
Frames let developers split an HTML browser window into segments, each of which can show a different document. This reduces bandwidth use because repeating parts of a layout can be used in one frame while variable content, such as a Flash presentation, can be shown in another.
Inline frames, or iFrames, can be the target frame for links defined by other elements, and that’s how the clickjackers used this technology.
Preventing clickjacking attacks requires users trust no one.
“Break the inherent trust you have for friends’ and family’s online profiles,” Correll recommended. “We should ask ourselves, ‘Will my friend or family member really post that?’ before clicking on something.”
Don’t click on suspicious links, even if they’ve been sent or posted by friends.
Posted by Pamela Louderback