Beware enticing Bieber links, free offers on Facebook

Scammers are exploiting Bieber mania to trick people into unwittingly "liking" a scam message and spreading it on Facebook.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Clickjacking attack on Facebook lures victims in with purported video and then surreptitiously "likes" the post, spreading it further.
A clickjacking attack on Facebook lures victims in with purported video and then surreptitiously "likes" the post, spreading it further. M86

Old scams hiding under new headlines were circulating on Facebook this week, including promises of video involving obsessed Justin Bieber fans.

"I can't believe a GIRL did this because of Justin Bieber," says the post that has been appearing on Facebook walls and status updates.

Clicking the link leads to a fake YouTube-looking page that says "Please Watch this video only if you are 16 years or older," according to an M86 blog post. Hidden behind the video window is an iframe linked to Facebook so that clicking anywhere in the window will submit a "like" click to the page and spread the post on the victim's Facebook page. This is a standard clickjacking attack that is taking advantage of a current hot topic--the teen singer.

The scam doesn't stop there. A fake Facebook dialog box also pops up that asks the victim to verify his or her age by completing a survey with links to sites relating to auto insurance, according to M86.

Facebook was able to stop this scam fairly quickly, but not before it had garnered more than 20,000 likes. Other variants of the scam were spreading, M86 said.

Separately, scammers had rehashed some scams involving offers of free iPads, free Southwest Airlines tickets, and a Miley Cyrus-related video link via posts on the site and e-mail messages. It's unclear exactly how those scams worked and if they involved clickjacking.

Clickjacking prompts a victim to click something while a different action is taken behind the scenes. It takes advantage of a vulnerability in a Web browser and is not specific to Facebook.

If you see a potential or obvious scam on Facebook report it to the person whose account is spreading it, M86 said. The NoScript Firefox plug-in protects against clickjacking attacks such as this, it added.

Because clickjacking exploits a browser weakness, Facebook can't technically prevent it completely, a Facebook spokesman said. "We continue to build additional protections to mitigate its impact," he said in an e-mail. "We're also involved in discussions with others in the industry on how to fix the underlying issue on the browser side."

Facebook users should be suspicious of anything that looks or feels strange, even if it has been posted by a friend. Facebook offers tips for how to recognize and avoid clickjacking on the "Threats" tab of the Facebook Security Page here.

The company also has developed automated systems to detect and flag Facebook accounts that are likely to be compromised based on suspicious activity like lots of messages sent in a short period of time or messages with links that are known to be bad. Once Facebook detects a phony post it is deleted across the site. The company blocks malicious links from being shared and works with third parties to get phishing and malware sites added to browser blacklists or taken down. And Facebook displays warnings when people click on a link that has been identified as malicious from an e-mail notification.

Here are some basic safety tips for using Facebook or any site on the Web:

• Use an up-to-date browser that features an antiphishing blacklist.

• Choose unique log-ins and passwords for each of the Web sites you use.

• Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.

• Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional log-in.