Click-jacking is spreading on Facebook

If your Facebook friends are recommending strange videos to you, they may have become the victims of a new scam. On Facebook, a scamming technique called "like-jacking" is currently spreading like the plague. Every week, the German-language Facebook universe alone, for example, witnesses several video pages that use a trick to collect hundreds of thousands of fans within only a few hours.

The phenomenon isn't really new, and neither is the trick. It consists of loading a small, almost invisible window with a Facebook "Like" button. A script then makes sure that this iFrame is always positioned right underneath the mouse pointer. Interested users who, for instance, try to start a video will click on the invisible "Like" button instead. As these users are already logged into Facebook, they post the message that they liked this video to all their friends.

The following video uses the Web Developer Firefox extension to expose this trick:

The rest is only a matter of social engineering skills. A sensational title like "Caught stripping on web cam" already attracts enough attention to spread virally through the Facebook network. Most victims don't even realise that they have fallen for a trick and recommended the video to their friends.

So far, these pages have limited themselves just to being proliferated. The required "Like" function can even be embedded by external web pages via the Facebook API, and it doesn't require any user confirmation. First tests also indicate that the problem is dependent on the browser. While the trick worked smoothly in Internet Explorer 7 under Windows XP, clicking in Firefox or Chrome did not result in a Facebook status post.

(crve)