Facebook clickjacking scam tries to rip off users
Posted on 18 August 2010.
If you happen to see a post on your friends' Facebook pages about "Top 10 Funny T-Shirt Fails ROFL", don't fall for it.

It's just another scheme to hijack your click and use it to make you post the same thing on your page without your knowledge. Also, if you follow the steps you are required to follow in order to view the "funny pictures", you can be saddled with a $5 per week charge for a phone service you didn't ask for.

The scheme works like this:

You go to the "Top 10 Funny.." Facebook page, which immediately after loading grabs a malicious script that makes you share the page on your profile without your knowledge. In the meantime, it presents to you a box that says that you have to complete three steps in order to prove that you're human and not a bot.

The human verification process also requires you to complete a survey:

A Sophos researcher say that this is the moment when a script detection plugin (he uses NoScript) will likely warn you about a potential clickjacking attempt:

If you don't use any, you might not notice that the offending post is now on you profile page trying to trick your friends into clicking on it.

In the meantime, if you fill up one of the surveys offered, you will probably be asked to give up your mobile phone number. If you are unfamiliar with this kind of scam, you'll fail to notice that the fine print says that if you do so, you are automatically signing up for an auto renewing subscription service that charges you $5 per week via your cell phone provider.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th