Facebook Clickjacking Attack Spreads Troj/iframe-ET Worm Through 'Like' Feature

Ever since Facebook has allowed bloggers and web publishers to add a 'LIKE' button to their posts, it has spread like wildfire. Unfortunately, hackers are now using the links that are supposed to be posted on Facebook users' profiles when they "Like" a specific post to redirect users to a malicious web page that spreads a malicious worm.

The Facebook 'LIKE' button, shown in Figure 1 below, is a fairly new way to essentially "backlink" or recommend something that users like or want to share with others that view their Facebook profile wall. The liked-link usually shows up as hyperlinked text on a users Facebook profile wall as shown in Figure 2. Below.

facebook like button clickjacking attack
Figure 1. Facebook 'LIKE' button

facebook liked hyperlink
Figure 2. Facebook hyperlinked text on a profile from clicking the 'LIKE' button on a web page.

Cybercrooks are now spreading a clickjacking attack through the 'Like' links. Basically, hackers are posting faux 'Like' links on Facebook in hopes that others will click them and be redirected to a blank web page that has the text "Click here to continue" which will spread a dangerous worm once clicked upon.

Security researchers at Sophos first identified the malicious page being infected with the Troj/iframe-ET worm. This worm has been discovered to automatically add "Likes" to your Facebook feed thus quickly spreading itself through Facebook users' recommended pages.

This new Facebook attack only adds to a long list of other issues the social network has faced in just the past few months in addition to privacy concerns. The malicious messages being spread on Facebook this time as part of the clickjacking attack include the following:

  • "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE"
  • "This man takes a picture of himself EVERYDAY for 8 YEARS!!"
  • "The Prom Dress That Got This Girl Suspended From School"
  • "This Girl Has An Interesting Way Of Eating A Banana Check It Out!"

The worm infection spread from the clickjacking attack seems to be more of a nuisance than anything right now. Because the worm can spread very quickly, it is suggested that users take immediate action to detect and remove the infection with a spyware removal tool before it spreads.

Do you click the "LIKE" button on various posts? Do your friends on Facebook click through recommended links or those that you have "Liked" on other pages?


  • Jaylynn:

    You've hit the ball out the park! Incredible!

  • Laruu:

    Always something to try sukicng people in -- why? Because it works (unfortunately).Someone I know got an email from what looked like their ISP.The email of course had requested the user send them their login details, password, etc to "prove" it was their account otherwise it would be closed.Scare tactics work .. (even if spelling, grammar, etc is bad).People need to be reminded at times that most reputable sites do not send emails asking for login credentials and they do not send attachments to run in order to obtain new passwords.They don't send patches through email either..

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.