Zscaler ThreatLabZ has seen the number of Likejacking attacks grow to become the most common social engineering threat encountered on Facebook today, with unsuspecting users and their friends falling victim daily. Likejacking is a form of Clickjacking, which causes people to be surreptitiously tricked into clicking one or more hidden links on a web page. With Likejacking, attackers exploit the Facebook "Like" button and other widgets - including the latest announced "Listened," "Watched" and "Read" gestures, game "Challenge" button, and even the "Dislike" button if implemented - by getting people to click them. The "Like" buttons are often hidden transparently behind a "Play" or other button, causing you to click without knowing that you just unintentionally "Liked" something; this causes the content to appear in your friends' News Feeds with a link back to the "Liked" website. The result, as you can imagine, is that it can spread virally very quickly from network to network, enabling the attacker to spread malicious links, propagate spam and conduct other types of social engineering attacks.
"Our findings are consistent with other security researchers, who estimate that approximately 15 percent of Facebook videos alone are, in fact, Likejacking attacks," said Julien Sobrier, senior researcher, Zscaler ThreatLabZ, and developer of the new Zscaler Likejacking Prevention tool. "In 2010, for example, hundreds of thousands of Facebook users fell victim to a single scheme alone."
Sobrier continued: "Attackers are constantly developing and engineering new tactics and, unfortunately, traditional security products often lack the kind of protection users need to defend themselves. As Web 2.0 sites increase their use of social plug-ins such as the Facebook 'Like' button, attackers are shifting to malicious clickjacking techniques, which are not being detected by browsers. Proactive tools like the new Zscaler Likejacking Prevention tool will provide simple yet effective protection against Likejacking and any type of clickjacking impacting Facebook widgets."
According to Michael Sutton, VP of Security Research, "Communication mediums on the Internet have shifted and attackers have quickly adapted. Whereas spam email was once the communication medium of choice for attackers, they now leverage social networks to communicate with victims. Overall, Facebook is a more effective social engineering tool because, when exploited, the communication is coming directly from a trusted source. Unfortunately, browsers remain vulnerable to web-based attacks such as Likejacking, and mobile browsers and traditional security solutions have failed to address this threat."
Zscaler Likejacking Prevention is freely available to everyone today and can be downloaded from http://www.zscaler.com/zscaler_likejacking.html.
And, for more information on Likejacking, please visit the Zscaler ThreatLabZ blog or fast-track to relevant posts by clicking these links:
-- 'LikeJacking' - What is it? -- Facebook Likejacking, phishing and spam -- A bookmarklet to uncover Facebook Likejacking -- The "Dad walks in on Daughter.. EMBARRASSING!" Facebook scams -- Halloween Likejacking Campaign
About Zscaler ThreatLabZ(TM)
Zscaler ThreatLabZ is the global security research team for Zscaler. Leveraging an aggregate view of billions of daily web transaction, from millions of users across the globe, Zscaler ThreatLabZ identifies new and emerging threats as they occur, and deploys protections across the Zscaler Security Cloud in real time to protect customers against advanced threats.
About Zscaler: The Cloud Security Company(TM)
Zscaler enforces business policy, mitigates risk and provides twice the functionality at a fraction of the cost of current solutions, utilizing a multi-tenant, globally-deployed infrastructure. Zscaler's integrated, cloud-delivered security services include Web Security, Mobile Security, Email Security and DLP. Zscaler services enable organizations to provide the right access to the right users, from any place and on any device--all while empowering the end-user with a rich Internet experience. For more information, visit www.zscaler.com.