Old scams hiding under new headlines were circulating on Facebook this week, including promises of video involving obsessed Justin Bieber fans.
"I can't believe a GIRL did this because of Justin Bieber," says the post that has been appearing on Facebook walls and status updates.
Clicking the link leads to a fake YouTube-looking page that says "Please Watch this video only if you are 16 years or older," according to an M86 blog post. Hidden behind the video window is an iframe linked to Facebook so that clicking anywhere in the window will submit a "like" click to the page and spread the post on the victim's Facebook page. This is a standard clickjacking attack that is taking advantage of a current hot topic--the teen singer.
The scam doesn't stop there. A fake Facebook dialog box also pops up that asks the victim to verify his or her age by completing a survey with links to sites relating to auto insurance, according to M86.
Facebook was able to stop this scam fairly quickly, but not before it had garnered more than 20,000 likes. Other variants of the scam were spreading, M86 said.
Separately, scammers had rehashed some scams involving offers of free iPads, free Southwest Airlines tickets, and a Miley Cyrus-related video link via posts on the site and e-mail messages. It's unclear exactly how those scams worked and if they involved clickjacking.
Clickjacking prompts a victim to click something while a different action is taken behind the scenes. It takes advantage of a vulnerability in a Web browser and is not specific to Facebook.
If you see a potential or obvious scam on Facebook report it to the person whose account is spreading it, M86 said. The NoScriptFirefox plug-in protects against clickjacking attacks such as this, it added.
Because clickjacking exploits a browser weakness, Facebook can't technically prevent it completely, a Facebook spokesman said. "We continue to build additional protections to mitigate its impact," he said in an e-mail. "We're also involved in discussions with others in the industry on how to fix the underlying issue on the browser side."
Facebook users should be suspicious of anything that looks or feels strange, even if it has been posted by a friend. Facebook offers tips for how to recognize and avoid clickjacking on the "Threats" tab of the Facebook Security Page here.
The company also has developed automated systems to detect and flag Facebook accounts that are likely to be compromised based on suspicious activity like lots of messages sent in a short period of time or messages with links that are known to be bad. Once Facebook detects a phony post it is deleted across the site. The company blocks malicious links from being shared and works with third parties to get phishing and malware sites added to browser blacklists or taken down. And Facebook displays warnings when people click on a link that has been identified as malicious from an e-mail notification.