The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response.
In this example a Facebook click-jacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV. The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident. Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video.
The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video. While this is happening, the user's account is being exploited to post the video on their homepage to distribute. The user is also added to the list of those who like the video, consequently encouraging others to view this. The series of steps involved is shown below.
An infected account shows the advert as being liked either by a friend or contact within your Facebook account:
The user is then directed to the page below to view the video. Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook . These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.
Innocent-looking page as seen by the user:
Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page:
On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV.
Below is the screen the user is presented with if they are not already logged in to Facebook:
The compromised account then displays a video link on the user's wall encouraging others to view this.
There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money. Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.
Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.
To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our free Defensio Facebook app.
