Facebook clickjacking scam tries to rip off users
Posted on 18 August 2010.
If you happen to see a post on your friends' Facebook pages about "Top 10 Funny T-Shirt Fails ROFL", don't fall for it.

It's just another scheme to hijack your click and use it to make you post the same thing on your page without your knowledge. Also, if you follow the steps you are required to follow in order to view the "funny pictures", you can be saddled with a $5 per week charge for a phone service you didn't ask for.

The scheme works like this:

You go to the "Top 10 Funny.." Facebook page, which immediately after loading grabs a malicious script that makes you share the page on your profile without your knowledge. In the meantime, it presents to you a box that says that you have to complete three steps in order to prove that you're human and not a bot.

The human verification process also requires you to complete a survey:

A Sophos researcher say that this is the moment when a script detection plugin (he uses NoScript) will likely warn you about a potential clickjacking attempt:

If you don't use any, you might not notice that the offending post is now on you profile page trying to trick your friends into clicking on it.

In the meantime, if you fill up one of the surveys offered, you will probably be asked to give up your mobile phone number. If you are unfamiliar with this kind of scam, you'll fail to notice that the fine print says that if you do so, you are automatically signing up for an auto renewing subscription service that charges you $5 per week via your cell phone provider.


Infosec management strategies and the modern CTO

Posted on 21 January 2015.  |  Brandon Hoffman, Lumeta's CTO, talks about the management strategies that are essential in the information security industry. He also offers advice to those stepping into the CTO role for the first time, and talks about the evolution of network situational awareness.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Jan 23rd