We are currently monitoring a Facebook “likejacking” scam that is similar to previous campaigns that were first observed in 2010.
“Likejacking” is a term that is specifically used to refer to a “clickjack” that leads to an end user unknowingly “liking” a website via the social network, Facebook. By tricking users into liking the page, a post is published to their Facebook walls and can be viewed by their friends and family.
This particular campaign leads a user to a phony-looking YouTube page (FouTube), which was generated for this Justin Bieber campaign.
A hidden iframe overlays the FouTube player, so if a user attempts to click on any part of it, the “likejacking” occurs, resulting in the “liking” of this page and helping the scam campaign spread.
At this point, the scam had already racked up 19,500 “likes” after it was discovered.
In order to keep the ruse going, the users are then presented with a dialog box that looks like an average Facebook dialog box. However, this one asks the user to verify his or her age in order to view this content:
This tactic pays – literally, by convincing the user to visit one of these sites to complete a survey and earn an affiliate bonus for the scammer. Most scams on Facebook tend to lead a user to some variant of the survey scam, something we noted in our recent second half 2010 recap report.
Digging a little deeper, we can see that this campaign is also spreading through status updates as well.
The URL Shortener used here (stump.ws) has been used in previous scam campaigns that have been observed on Facebook.
The majority of Facebook scam campaigns tend to feature a controversial or shocking headline. In this case, it leverages a popular personality like Justin Bieber along with an obscure headline that has to do with a girl, perhaps a fan of his. This is usually enough to entice users to click the link and lead them to the scam page.
Above is a variant of this scam that uses the same template. It was discovered on a “.info” domain that contained the word “bieber” in it. We believe the scammers may have gotten lazy with this particular version by forgetting to change the subject.
Before completing this blog post, Facebook managed to stop the original offending likejacking page after it racked up over 20,000 likes. However, there are multiple variants of this scam that continue to spread. One variant in particular increased from 7,500 likes to over 11,000 in just the span of an hour. (Edit: It has now reached 20,000 likes in just a few hours and continues to spread)
What can you do? If you or someone you know has been tricked by one of these scams, be sure to reach out to your friends and family and let them know as soon as you can. If it sounds outlandish, 9 times out of 10 it probably is. Therefore, it’s best to be aware that these types of scams are out there and to warn others when you do come across them.
Another option for those wanting to be safe from “likejacking” and clickjacking attacks in general is to run the NoScript browser extension for Mozilla Firefox. Using this extension will provide a warning dialog box in the event of a potential clickjack.
Social Networks have been a popular target over the last few years and these recurring types of scams show why that won’t change anytime soon.