X

Cheerleaders Gone Wild clickjacking tempts Facebook users

Clickjacking attack hid behind content warning and antispam mechanism before posting your prurient interests to all of your friends.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
This Cheerleaders Gone Wild clickjacking attack hid behind a fake content warning.
This Cheerleaders Gone Wild clickjacking attack hid behind a fake content warning. Sophos

A new clickjacking scam was spreading on Facebook luring victims with a purported video of "cheerleaders gone wild," a security expert warned on Thursday before Facebook shut the attack down.

Victims' accounts were posting messages that said "cheerleaders gone wild - have to see this" with a photo of, you guessed it, a cheerleader carrying pom poms. Clicking the link led to a warning that the content may be inappropriate for some users and prompted users to confirm that they are 18 or older, said Graham Cluley of Sophos, who bravely clicked the link for research purposes only, of course.

Another warning then popped up pretending to be an antispam mechanism that asked the user to click three buttons numbered 1, 2, and 3 in a specific order. Once that was done and the "submit" button was clicked, the user's account then submitted that it "likes" the Cheerleaders Gone Wild page and that message was broadcast from the victim's account to his or her newsfeed for all friends to see, Cluley said.

The account also invisibly indicated that it "likes" two other Facebook pages, "Funniest Videos on the Web" and "Free ringtones every day."

"But you probably haven't noticed any of this, of course, because by now you are watching a YouTube video of a group of young cheerleaders up to antics which, quite frankly, I didn't find at all shocking and didn't involve any nudity," Cluley wrote on his blog.

A Facebook spokesman said the company disabled the page after learning of the attack and reiterated advice that users not click on suspicious-looking links, even if they are from friends. More tips on how to recognize and avoid clickjacking is available on the "Threats" tab of the Facebook Security Page.

Clickjacking happens when a browser session is hijacked by malicious code; such attacks have been seen on Facebook, Twitter, and other sites. (For more information, see "Clickjacking: Hijacking clicks on the Internet.") Web surfers can protect themselves by disabling JavaScript if using Internet Explorer and by using the NoScript add-on for Firefox, as well as by logging out of Web sites when they are done with the site.

Click safely now.

Updated 11:20 a.m. PDT with Facebook comment and background on clickjacking.