Facebook worm spreads with a lurid lure

IDG News Service - Some Facebook users have been infected with a worm after clicking on an image of a scantily clad woman, which then redirects the victims to a pornography site, according to security researchers.

The worm posts an image on a victim's Facebook Wall with a photo of a woman in a bikini and the message "click 'da button, baby." Wall posts are viewable by a Facebook user's friends.

If a friend clicks on the image and is logged into Facebook, the image is then is posted to their own Wall. Their Web browser will then open a Web page with a larger version of the same image. A further click on "da button" redirects the friend to a pornography site, according to Roger Thompson chief research officer for antivirus vendor AVG Technologies. Thompson posted a video of the attack on his blog.

The creators of the worm are likely making money by driving referrals to the pornography site, said Nick FitzGerald, a threat researcher for security vendor AVG.

Researchers aren't quite sure exactly how the worm works but believe it may be a cross-site request forgery attack (CSRF) or a clickjacking attack or a mix of both.

A CSRF attack occurs when a victim's credentials are used to perform some action but without their knowledge. In this case, the attacker fraudulently posts the image to the victim's Facebook Wall, piggybacking on the fact the victim is logged into their account.

Another possibility is clickjacking, where attackers use special Web programming to trick victims into clicking Web buttons without realizing it.

Clickjacking is possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages. Web browsers are vulnerable to clickjacking attacks, although browser makers have worked to shore up defenses against them.

Facebook classifies the attack as clickjacking, an attack that is "not specific to Facebook," according to a written statement. Facebook also said the attack was not a worm.

"We've taken action to block the URL (Uniform Resource Locator) associated with this site, and we're cleaning up the relatively few cases where it was posted," the statement said. "Overall, an extremely small percentage of users were affected."

If the worm does spread through a clickjacking attack, "it may be difficult for Facebook to fix reliably," FitzGerald said. "Regardless, it is a worm."

Facebook warned users not to click on suspicious links. However, in this case, the link doesn't stand out as necessarily suspicious given the variety of Wall postings, graphics and applications that appear all over the popular social-networking site.

In fact, one security researcher inadvertently reposted the suspect graphic before realizing something wasn't right. "This shows that even experts can become complacent and trust systems when they really shouldn't," wrote Gadi Evron, an independent security researcher, on Dark Reading's blog.