Users of Facebook are falling victim to a new type of attack called “clickjacking” or “lifejacking”. Facebook users see links that their friends appear to have liked, some of those currently in circulation include “World Cup 2010” and “This man takes a picture of himself every day for 8 years”. When a Facebook user clicks on one of these links they are taken to another page which asks them to carry out a simple action such as clicking a button to confirm that they are over 18, when they do this the link is added to their Facebook profile saying that they “like” the site.
There currently appears to be no malcious intent behind these attacks but it is not difficult to see how they could be used to install malware on a user’s computer or perpetrate a phishing attack.
The attack works by using iFrames, essentially invisible buttons, which in this case cover the entire page. When the user clicks they end up clicking the invisible button. In the attacks seen so far the invisible button is a Facebook “like” button.
Once again, this is going to bring into question, the use of social media sites like Facebook within businesses as quite sophisticated security solutions will be required to prevent attacks of this sort.
