Facebook worm spreads with a lurid lure

Facebook said the problem only affected a small number of users and disputes it is a worm

Some Facebook users have been infected with a worm after clicking on an image of a scantily clad woman, which then redirects the victims to a pornography site, according to security researchers.

The worm posts an image on a victim's Facebook Wall with a photo of a woman in a bikini and the message "click 'da button, baby." Wall posts are viewable by a Facebook user's friends.

If a friend clicks on the image and is logged into Facebook, the image is then is posted to their own Wall.

Their Web browser will then open a Web page with a larger version of the same image. A further click on "da button" redirects the friend to a pornography site, according to Roger Thompson chief research officer for antivirus vendor AVG Technologies.

Thompson posted a video of the attack on his blog.

The creators of the worm are likely making money by driving referrals to the pornography site, said Nick FitzGerald, a threat researcher for security vendor AVG.

Researchers aren't quite sure exactly how the worm works but believe it may be a cross-site request forgery attack (CSRF) or a clickjacking attack or a mix of both.

A CSRF attack occurs when a victim's credentials are used to perform some action but without their knowledge. In this case, the attacker fraudulently posts the image to the victim's Facebook Wall, piggybacking on the fact the victim is logged into their account.

Another possibility is clickjacking, where attackers use special Web programming to trick victims into clicking Web buttons without realizing it.

Clickjacking is possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages. Web browsers are vulnerable to clickjacking attacks, although browser makers have worked to shore up defenses against them.

Facebook classifies the attack as clickjacking, an attack that is "not specific to Facebook," according to a written statement. Facebook also said the attack was not a worm.

"We've taken action to block the URL (Uniform Resource Locator) associated with this site, and we're cleaning up the relatively few cases where it was posted," the statement said. "Overall, an extremely small percentage of users were affected."

If the worm does spread through a clickjacking attack, "it may be difficult for Facebook to fix reliably," FitzGerald said. "Regardless, it is a worm."

Facebook warned users not to click on suspicious links. However, in this case, the link doesn't stand out as necessarily suspicious given the variety of Wall postings, graphics and applications that appear all over the popular social-networking site.

In fact, one security researcher inadvertently reposted the suspect graphic before realizing something wasn't right.

"This shows that even experts can become complacent and trust systems when they really shouldn't," wrote Gadi Evron, an independent security researcher, on Dark Reading's blog.

Join the CSO newsletter!

Error: Please check your email address.

Tags wormAVGsocial networkingFacebook

More about AVG (AU/NZ)AVG Technologies AUFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place