View All Cybercrime

Can’t Believe A Girl Did This Because of Justin Bieber? You Shouldn’t

By Anonymous  •  February 28th, 2011  •   Cybercrime

We are currently monitoring a Facebook “likejacking” scam that is similar to previous campaigns that were first observed in 2010.

Justin Bieber Likejacking Scam Spreads on Facebook

Justin Bieber Likejacking Scam Spreads on Facebook

“Likejacking” is a term that is specifically used to refer to a “clickjack” that leads to an end user unknowingly “liking” a website via the social network, Facebook.  By tricking users into liking the page, a post is published to their Facebook walls and can be viewed by their friends and family.

This particular campaign leads a user to a phony-looking YouTube page (FouTube), which was generated for this Justin Bieber campaign.

FouTube (Fake YouTube) Page

FouTube (Fake YouTube) Page

A hidden iframe overlays the FouTube player, so if a user attempts to click on any part of it, the “likejacking” occurs, resulting in the “liking” of this page and helping the scam campaign spread.

Duped User Now Spreads The Scam via their Facebook Wall

Duped User Now Spreads The Scam via their Facebook Wall

At this point, the scam had already racked up 19,500 “likes” after it was discovered.

19,500+ Likes for Justin Bieber Scam Page

19,500+ Likes for Justin Bieber Scam Page

In order to keep the ruse going, the users are then presented with a dialog box that looks like an average Facebook dialog box. However, this one asks the user to verify his or her age in order to view this content:

Security Check Dialog Box - Verify Your Age

Security Check Dialog Box - Verify Your Age

This tactic pays – literally, by convincing the user to visit one of these sites to complete a survey and earn an affiliate bonus for the scammer. Most scams on Facebook tend to lead a user to some variant of the survey scam, something we noted in our recent second half 2010 recap report.

Want Low Rates on Auto Insurance? You won't find them here.

Want Low Rates on Auto Insurance? You won't find them here.

Digging a little deeper, we can see that this campaign is also spreading through status updates as well.

Facebook Status Updates for Justin Bieber Scam using a URL Shortener

The URL Shortener used here (stump.ws) has been used in previous scam campaigns that have been observed on Facebook.

The majority of Facebook scam campaigns tend to feature a controversial or shocking headline. In this case, it leverages a popular personality like Justin Bieber along with an obscure headline that has to do with a girl, perhaps a fan of his. This is usually enough to entice users to click the link and lead them to the scam page.

Same Template, Different Subject, Same Scam

Above is a variant of this scam that uses the same template. It was discovered on a “.info” domain that contained the word “bieber” in it. We believe the scammers may have gotten lazy with this particular version by forgetting to change the subject.

11,000+ Likes for another Justin Bieber "LikeJacking" Scam

11,000+ Likes for another Justin Bieber "Likejacking" Scam

Before completing this blog post, Facebook managed to stop the original offending likejacking page after it racked up over 20,000 likes. However, there are multiple variants of this scam that continue to spread. One variant in particular increased from 7,500 likes to over 11,000 in just the span of an hour. (Edit: It has now reached 20,000 likes in just a few hours and continues to spread)

What can you do? If you or someone you know has been tricked by one of these scams, be sure to reach out to your friends and family and let them know as soon as you can. If it sounds outlandish, 9 times out of 10 it probably is. Therefore, it’s best to be aware that these types of scams are out there and to warn others when you do come across them.

NoScript warns users of attempted clickjacking

NoScript warns users of attempted clickjacking

Another option for those wanting to be safe from “likejacking” and clickjacking attacks in general is to run the NoScript browser extension for Mozilla Firefox. Using this extension will provide a warning dialog box in the event of a potential clickjack.

Social Networks have been a popular target over the last few years and these recurring types of scams show why that won’t change anytime soon.

Tags:    |    |    |    |    |    |  

One Response to “Can’t Believe A Girl Did This Because of Justin Bieber? You Shouldn’t”

  1. [...] M86 Security Labs has branded it a “likejacking” scam (a play on the term clickjacking, which means prompting a victim to click something while a different action is taken behind the scenes) and said it was similar to previous campaigns that were first observed last year. Clicking the link leads to FouTube page, a fake version of YouTube, that says “Please Watch this video only if you are 16 years or older.” The FouTube player video window is overlayed with a hidden iframe; clicking on it anywhere will submit a Facebook Like and spread the post on the victim’s Facebook page. [...]