Wayne in BC
New member
From Malwarebytes security forum this morning..........
_____________________________________________________________
A new Facebook social-engineering attack/distribution vector is making the rounds today. Less than twelve hours after its inception, over 100,000 Facebook users have already fallen victim to this attack. It does not appear to deliver any malicious payload yet, and may be a "test" of a Facebook-based attack vector. The attack takes advantage of the Facebook "Like" plugin.
You may have seen or clicked on links on Facebook that look something like:
QUOTE
"This man takes a picture of himself EVERYDAY for 8 YEARS!!"
"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
"The Prom Dress That Got This Girl Suspended From School."
"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"
These links appear in your News Feed because one of your friends has "Liked" the link. The News Feed will say something like "<friend> likes <page>", where <page> is a link like the ones above. The links point to throwaway Blogspot pages and others such as:
hxxp://girlownedbypolicelike.blogspot.com
hxxp://manpictureofhimselflike.blogspot.com
hxxp://www.thedatesafe.com/man
and others (links above have been munged to avoid accidental clicks).
The pages are labeled "Click to continue" and contain full-page transparent inline frames ("iframes"). If the user clicks anywhere on the page, a request is made to the Facebook "Like" plugin to add the page to the current user's Facebook profile. The upshot is that the current Facebook user will "Like" the linked page, which will automatically rebroadcast the link to others via the user's profile. This is evident from an examination of the page's source:
CODE
<iframe allowTransparency='true' frameborder='0' id='fbframe' name='fbframe' scrolling='no' src='hxxp://www.facebook.com/plugins/like.php?href=http://girlownedbypolicelike.blogspot.com/' style='border:none; overflow:hidden; width:50px; height:23px;'></iframe>
This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves. Perhaps a payload will be added later, after the attack's author is convinced that its distribution is wide enough. Or perhaps this is a "test run" of this attack, testing it as a potential distribution vector for future malicious content.
Either way, beware. Facebook users, don't click on suspicious links, even in your friends' profiles and News Feeds. Beware of any page that contains an invitation to "Click to continue." Although this attack does not steal any passwords or other personal data, change your passwords regularly and do not use the same password for every account at every web site.
If you have already clicked on a link like the ones above, go to your Facebook profile page, locate your "Recent Activity" in your News Feed, and remove any entries related to these links. Then click on the Info tab, and next to "Likes and Interests" click on "Edit". Click "Show Other Pages", and click "Remove Page" for each of the malicious links. Then click "Close" and "Save Changes".
Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.
--------------------
Doug Swanson
Malwarebytes VP of Development
_____________________________________________________________
A new Facebook social-engineering attack/distribution vector is making the rounds today. Less than twelve hours after its inception, over 100,000 Facebook users have already fallen victim to this attack. It does not appear to deliver any malicious payload yet, and may be a "test" of a Facebook-based attack vector. The attack takes advantage of the Facebook "Like" plugin.
You may have seen or clicked on links on Facebook that look something like:
QUOTE
"This man takes a picture of himself EVERYDAY for 8 YEARS!!"
"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
"The Prom Dress That Got This Girl Suspended From School."
"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"
These links appear in your News Feed because one of your friends has "Liked" the link. The News Feed will say something like "<friend> likes <page>", where <page> is a link like the ones above. The links point to throwaway Blogspot pages and others such as:
hxxp://girlownedbypolicelike.blogspot.com
hxxp://manpictureofhimselflike.blogspot.com
hxxp://www.thedatesafe.com/man
and others (links above have been munged to avoid accidental clicks).
The pages are labeled "Click to continue" and contain full-page transparent inline frames ("iframes"). If the user clicks anywhere on the page, a request is made to the Facebook "Like" plugin to add the page to the current user's Facebook profile. The upshot is that the current Facebook user will "Like" the linked page, which will automatically rebroadcast the link to others via the user's profile. This is evident from an examination of the page's source:
CODE
<iframe allowTransparency='true' frameborder='0' id='fbframe' name='fbframe' scrolling='no' src='hxxp://www.facebook.com/plugins/like.php?href=http://girlownedbypolicelike.blogspot.com/' style='border:none; overflow:hidden; width:50px; height:23px;'></iframe>
This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves. Perhaps a payload will be added later, after the attack's author is convinced that its distribution is wide enough. Or perhaps this is a "test run" of this attack, testing it as a potential distribution vector for future malicious content.
Either way, beware. Facebook users, don't click on suspicious links, even in your friends' profiles and News Feeds. Beware of any page that contains an invitation to "Click to continue." Although this attack does not steal any passwords or other personal data, change your passwords regularly and do not use the same password for every account at every web site.
If you have already clicked on a link like the ones above, go to your Facebook profile page, locate your "Recent Activity" in your News Feed, and remove any entries related to these links. Then click on the Info tab, and next to "Likes and Interests" click on "Edit". Click "Show Other Pages", and click "Remove Page" for each of the malicious links. Then click "Close" and "Save Changes".
Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.
--------------------
Doug Swanson
Malwarebytes VP of Development