Clickjackers seize opportunity to corrupt Facebook ‘Like’ buttons

Cybercriminals have found a new way to profit in the wake of Facebook’s  drive to lower the bar on privacy.

They’ve begun spreading corrupted Facebook “Like” buttons. The end game: turn  Facebook users into  unwitting accomplices in a cutting-edge click fraud caper,  according to Panda Security.

See top story: Facebook continues drive to lower privacy

Facebook launched Like buttons in early 2009. The tiny thumbs-up icons appears alongside news stories, videos and other content on numerous popular websites, including Huffington Post, CNN, ESPN and Yelp. If you click on such an icon and are one of Facebook’s 500 million  users, an identical  thumbs-up icon will automatically embed on your profile page along with a link to the content. This signals your friends that you think the content is worthwhile checking out.

Uncorrupted Facebook 'Like' buttons

Privacy advocates are critical of Like buttons because they happen to also enable Facebook to track people as they switch from one web site to the next, supplying information about online behavior that’s salable to advertisers.

And now cyber scammers have figured out how to cause malicious Like buttons to turn up on Facebook users’ profile pages. They begin by manipulating a Facebook account for which they’ve stolen the username and password, typically one that has a long list of friends. The initial step: embed a Like button with an enticing link on the profile page of that account. The link touts a hot topic — examples include news about the popular game Farmville or the hit movie Sex and the City 2, says Panda Labs rearcher Sean-Paul Correll, who has intercepted and examined samples.

Clicking on the link takes you to a web page filled with online ads. This confirms you’ve got a problem, says Correll. Unseen to you, a malicious program will embed a similarly-corrupted Like button on your Facebook profile page.

The scammers are using a technique called “clickjacking” to amass clicks and generate  payments from online advertisers. Facebook spokesman Simon Axten says clickjacking stems from security weaknesses in web browsers and is not specific to Facebook. “We can’t technically prevent it completely, but we’re always working to improve our systems,” says Axten. “And we continue to build additional protections to mitigate its impact.”

For the moment, the Facebook clickjacking attacks appear to be limited to defrauding online advertisers, says Correll.  But he says there is little stopping clickjackers  from spreading Like buttons with links that trigger promos for worthless antivirus, known as scareware.

“Currently these attacks are being used only to generate advertising revenue,” he says. “It’s likely they will be replaced by much more lucrative attacks in the near future, such as spreading scareware.”

Facebook is “involved in discussions with others in the industry on how to fix the underlying issue on the browser side,” says Axten. “As always, we’re advising people to use caution online and to not click on suspicious-looking links, even if they’ve been sent or posted by friends.”

Meanwhile, no one expects Facebook to pull back on features such as the Like button that drive toward CEO Mark Zuckerberg’s goal to make  the Web, as Zuckerberg puts it,  “more social.”

Facebook’s Like button “does support their business model,” says Correll. “Facebook needs to figure out how to target online advertisements to specific groups of consumers. But it definitely does lower privacy as well.”

It appears lower privacy translates into greater opportunity for the bad guys.

By Byron Acohido