Swandog46

Malwarebytes Warns About New Facebook Attack

41 posts in this topic

A new Facebook social-engineering attack/distribution vector is making the rounds today. Less than twelve hours after its inception, over 100,000 Facebook users have already fallen victim to this attack. It does not appear to deliver any malicious payload yet, and may be a "test" of a Facebook-based attack vector. The attack takes advantage of the Facebook "Like" plugin.

You may have seen or clicked on links on Facebook that look something like:

"This man takes a picture of himself EVERYDAY for 8 YEARS!!"

"LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

"The Prom Dress That Got This Girl Suspended From School."

"This Girl Has An Interesting Way Of Eating A Banana, Check It Out!"

These links appear in your News Feed because one of your friends has "Liked" the link. The News Feed will say something like "<friend> likes <page>", where <page> is a link like the ones above. The links point to throwaway Blogspot pages and others such as:

hxxp://girlownedbypolicelike.blogspot.com

hxxp://manpictureofhimselflike.blogspot.com

hxxp://www.thedatesafe.com/man

and others (links above have been munged to avoid accidental clicks).

The pages are labeled "Click to continue" and contain full-page transparent inline frames ("iframes"). If the user clicks anywhere on the page, a request is made to the Facebook "Like" plugin to add the page to the current user's Facebook profile. The upshot is that the current Facebook user will "Like" the linked page, which will automatically rebroadcast the link to others via the user's profile. This is evident from an examination of the page's source:

<iframe allowTransparency='true' frameborder='0' id='fbframe' name='fbframe' scrolling='no' src='hxxp://www.facebook.com/plugins/like.php?href=http://girlownedbypolicelike.blogspot.com/' style='border:none; overflow:hidden; width:50px; height:23px;'></iframe>

This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves. Perhaps a payload will be added later, after the attack's author is convinced that its distribution is wide enough. Or perhaps this is a "test run" of this attack, testing it as a potential distribution vector for future malicious content.

Either way, beware. Facebook users, don't click on suspicious links, even in your friends' profiles and News Feeds. Beware of any page that contains an invitation to "Click to continue." Although this attack does not steal any passwords or other personal data, change your passwords regularly and do not use the same password for every account at every web site.

If you have already clicked on a link like the ones above, go to your Facebook profile page, locate your "Recent Activity" in your News Feed, and remove any entries related to these links. Then click on the Info tab, and next to "Likes and Interests" click on "Edit". Click "Show Other Pages", and click "Remove Page" for each of the malicious links. Then click "Close" and "Save Changes".

Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.

Share this post


Link to post

WoW :) Ive click one those before. Thanks ill look out more :)

Share this post


Link to post

Thanks for the headsup ! I have retweeted this.

Finally, to the Facebook team: please fix the security hole that this attack exploits. Before the "Like" plugin can add data to the user's profile, the user should get a prompt for explicit approval. At the very least, this should be implemented for anything "Liked" on a third-party (i.e. non-Facebook.com) web site. And the user should be able to opt-out or disable the "Like" plugin entirely. Facebook team, please help us promote security on the Internet.

I agree, users should get more aware of what they're actually liking or approving. By implementing an extra prompt this would be an improvement for Facebook's security.

Share this post


Link to post

Thanks for the update! Facebook just seems to be getting into more issues every day

Share this post


Link to post

I never trusted "Liked" links as I know they can lead to un-wanted sites.

I warn my friends to not use "Liked" as they could infect their system with something they do not expect. :)

Share this post


Link to post

Hey guys. Thank god I haven't clicked on any of those.

Thanks for the heads up warning.

Share this post


Link to post

Thanks. I was affected last week. Or should I say infected.

Share this post


Link to post

Thanks Doug. I just added this to my blog as well. :)

Share this post


Link to post

Thanks SwanDog for the alert :)

Will re-alert

I'm tellin' ya, one of these days.... FB will just have to go for me...

Edit: Apparently there's an error on FB... can't even post a note about this... ::grumble:: So I posted a status update.

Second Edit: One of my friends has already fallen victim... but she has a Mac, so hopefully this isn't targeting Macs (yet anyway...).

Share this post


Link to post

I post link to this thread on my wall in Facebook. :)

Thanks Doug! :)

Share this post


Link to post

Thanks for sharing this info, I will tell my friends and family! Thanks again!

Share this post


Link to post
Second Edit: One of my friends has already fallen victim... but she has Mac, so hopefully this isn't targeting Macs (yet anyway...).

It isn't "targeting" any platform in particular, because there is no malicious payload yet. But even if there were a Windows-only payload added at some later time, any Facebook user is vulnerable to being tricked into rebroadcasting the infected links by "Liking" them -- which is the point of this exploit. This includes Facebook users on Linux and Mac platforms, among others.

Share this post


Link to post

SwanDog,

That's true, I hadn't realized that it wasn't quite an attack -- yet -- but after I read your post a second time then I understood that.

Anyway, hopefully this doesn't get worse.

Thanks for the reply :)

Share this post


Link to post

Doug, I assume this "attack vector" is also browser-independant?

Share this post


Link to post

As a practical matter, yes. It requires a browser that implements the iframe, but to my knowledge every major browser does.

Share this post


Link to post
As a practical matter, yes. It requires a browser that implements the iframe, but to my knowledge every major browser does.

Some browsers have odd restrictions on iFrames, but I don't know if that would block this "attack vector". I think it's safe to assume that it will work in all browsers that support iFrames.

Share this post


Link to post

Thanks for the update. Don't really need to worry about that here as I don't use Facebook.

Share this post


Link to post

Hi there! :)

This is an old trick. What is surprising is that the pages do not seem to deliver any other malicious payloads yet. They seem only to propagate themselves

Maybe to bypass AV detection in a first time?

So in fact this is not facebook (official) page/group but just a link to blogs? I'll try to see if I can test it in VM...

Sorry if I didn't understand but english is'not my native language :)

Share this post


Link to post

Thanks for the info!

Share this post


Link to post

Firefox Users

In the address bar go to about:config

In the Filter: browser.frames.enabled

Double click the value to toggle from true to false.

JLYK.

Share this post


Link to post

But that would also disable valid legit content on some sites as well.

Share this post


Link to post
Firefox Users

In the address bar go to about:config

In the Filter: browser.frames.enabled

Double click the value to toggle from true to false.

JLYK.

As AdvancedSetup says - that's going to block them all incl ones you want.

A better option may be to use NoScript and disable i-frames in the settings - then you can allow them temporarily on other sites as needed on an individual site AND individual i-frame basis. I don't use Facebook but I do block all i-frames and all objects normally (including on trusted sites) and just allow what I need/trust. That works really well for me.

Share this post


Link to post

this has become very common these days...

thanx for updating us...it will definately help us or i should say save our computers from being infected!!!

Share this post


Link to post

I have gotton a virus like this, but it has made my curser freeze. I do not know how to fix this. Im not a expert on such matters. I dont know to fix this. Any one got a idea? :P

Share this post


Link to post
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.