Jump to content

Malwarebytes Warns About New Facebook Attack


Recommended Posts

  • Staff

A new Facebook social-engineering attack/distribution vector is making the rounds today. Less than twelve hours after its inception, over 100,000 Facebook users have already fallen victim to this attack. It does not appear to deliver any malicious payload yet, and may be a "test" of a Facebook-based attack vector. The attack takes advantage of the Facebook "Like" plugin.

You may have seen or clicked on links on Facebook that look something like:

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

These links appear in your News Feed because one of your friends has "Liked" the link. The News Feed will say something like "<friend> likes <page>", where <page> is a link like the ones above. The links point to throwaway Blogspot pages and others such as:

hxxp://girlownedbypolicelike.blogspot.com

hxxp://manpictureofhimselflike.blogspot.com

hxxp://www.thedatesafe.com/man

and others (links above have been munged to avoid accidental clicks).

The pages are labeled "Click to continue" and contain full-page transparent inline frames ("iframes"). If the user clicks anywhere on the page, a request is made to the Facebook "Like" plugin to add the page to the current user's Facebook profile. The upshot is that the current Facebook user will "Like" the linked page, which will automatically rebroadcast the link to others via the user's profile. This is evident from an examination of the page's source:

<iframe allowTransparency='true' frameborder='0' id='fbframe' name='fbframe' scrolling='no' src='hxxp://www.facebook.com/plugins/like.php?href=http://girlownedbypolicelike.blogspot.com/' style='border:none; overflow:hidden; width:50px; height:23px;'></iframe>

This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves. Perhaps a payload will be added later, after the attack's author is convinced that its distribution is wide enough. Or perhaps this is a "test run" of this attack, testing it as a potential distribution vector for future malicious content.

Either way, beware. Facebook users, don't click on suspicious links, even in your friends' profiles and News Feeds. Beware of any page that contains an invitation to "Click to continue." Although this attack does not steal any passwords or other personal data, change your passwords regularly and do not use the same password for every account at every web site.

If you have already clicked on a link like the ones above, go to your Facebook profile page, locate your "Recent Activity" in your News Feed, and remove any entries related to these links. Then click on the Info tab, and next to "Likes and Interests" click on "Edit". Click "Show Other Pages", and click "Remove Page" for each of the malicious links. Then click "Close" and "Save Changes".

Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.

Link to post

Thanks for the headsup ! I have retweeted this.

Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.

I agree, users should get more aware of what they're actually liking or approving. By implementing an extra prompt this would be an improvement for Facebook's security.

Link to post

I never trusted "Liked" links as I know they can lead to un-wanted sites.

I warn my friends to not use "Liked" as they could infect their system with something they do not expect. :)

Link to post

Thanks SwanDog for the alert :)

Will re-alert

I'm tellin' ya, one of these days.... FB will just have to go for me...

Edit: Apparently there's an error on FB... can't even post a note about this... ::grumble:: So I posted a status update.

Second Edit: One of my friends has already fallen victim... but she has a Mac, so hopefully this isn't targeting Macs (yet anyway...).

Link to post
  • Staff
Second Edit: One of my friends has already fallen victim... but she has Mac, so hopefully this isn't targeting Macs (yet anyway...).

It isn't "targeting" any platform in particular, because there is no malicious payload yet. But even if there were a Windows-only payload added at some later time, any Facebook user is vulnerable to being tricked into rebroadcasting the infected links by "Liking" them -- which is the point of this exploit. This includes Facebook users on Linux and Mac platforms, among others.

Link to post

SwanDog,

That's true, I hadn't realized that it wasn't quite an attack -- yet -- but after I read your post a second time then I understood that.

Anyway, hopefully this doesn't get worse.

Thanks for the reply :)

Link to post
As a practical matter, yes. It requires a browser that implements the iframe, but to my knowledge every major browser does.

Some browsers have odd restrictions on iFrames, but I don't know if that would block this "attack vector". I think it's safe to assume that it will work in all browsers that support iFrames.

Link to post
  • Staff

Hi there! :)

This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves

Maybe to bypass AV detection in a first time?

So in fact this is not facebook (official) page/group but just a link to blogs? I'll try to see if I can test it in VM...

Sorry if I didn't understand but english is'not my native language :)

Link to post
Firefox Users

In the address bar go to about:config

In the Filter: browser.frames.enabled

Double click the value to toggle from true to false.

JLYK.

As AdvancedSetup says - that's going to block them all incl ones you want.

A better option may be to use NoScript and disable i-frames in the settings - then you can allow them temporarily on other sites as needed on an individual site AND individual i-frame basis. I don't use Facebook but I do block all i-frames and all objects normally (including on trusted sites) and just allow what I need/trust. That works really well for me.

Link to post
  • 4 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.