March 29, 2011

Italian model exposed in Facebook clickjacking attack


The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response. 

In this example a Facebook clickjacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV.  The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident.  Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video. 

The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video.  While this is happening, the user's account is being exploited to post the video on their homepage to distribute.  The user is also added to the list of those who like the video, consequently encouraging others to view this.  The series of steps involved is shown below. 

An infected account shows the advert as being liked either by a friend or contact within your Facebook account:


The user is then directed to the page below to view the video.  Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook .  These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.


Innocent-looking page as seen by the user: 


Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page: 



On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV. 


Below is the screen the user is presented with if they are not already logged in to Facebook:


The compromised account then displays a video link on the user's wall encouraging others to view this.  


There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money.  Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.


Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.


To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our freeDefensio Facebook app.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.