I don’t like – Facebook Clickjacking and track screen cursors

10:30 ET, 8 November 2013

A misleading script to increase the number of “I like” and an invasive technology to track screen cursors are threatening the Facebook users.

The social media are money machines, the interest of private companies, governments and cybercrime are increasing exponentially. Security experts are observing an alarming trend, a growing number of subjects are spending a great effort to commercialize advertising campaigns and sell “likes” on principal social platforms exploiting borderline methods.

Recently packets of “Likes” are sold in the underground at prices higher than those of credit cards, it is a prolific business that is fueling the criminal activities on social networks. It is quite easy to find on the Internet messages that propose services to increase visibility on the social media is a short time, following typical statements used to promote the business:

“Do you want to increase your popularity?”” Do you want to grow the number of likes for your Facebook profile?”

A dirty method to reach the target is very diffused, hackers use to hide “I like” button in a trivial way forcing the action when users roll over the hidden content with the mouse. The Facebook users have just to click once logged in to Facebook, they will automatically like the Facebook page, this simple action make possible to share with victims the information posted on the page, it Newsfeed, and of course all victim’s friends will be notified that he like the page.

The abuse of social plugin Like Button combined with CSS hiding and JS moving allow the attackers to increase the likes for their pages.

The technical details:

The like button is usually embedded in a wrapper div (e.g. id=”wrapper” in the following figure) element containing an iframe to a Facebook like a button.


When user move the mouse over the parent element of <div id=”wrapper”>, which is in most cases <body> tag, an anonymous JavaScript function is called, which modifies the CSS of the wrapper under your mouse.


To hide the presence of like button the wrapper is transparent with proper settings in the CSS properties:

  • opacity: 0;
  • filter: alpha(opacity = 0);
  • -ms-filter: ‘progid:DXImageTransform.Microsoft.Alpha(Opacity=0)’;

In the following example available in the wild the code is easily recognizable, security experts believe that in the future more obfuscation techniques will be implemented by attackers to hide the trick.

According to data provided by Virustotal the behavior known as JS:Clickjack-* has a very low detection ratio, the sample provided by the portal are:

A scaring abuse of the technique could be represented by the diffusion of links to malicious domains that serve malware, the attackers could spread links to exploit kits on other Facebook user’s news feed and convince the victims to click them with social engineering.

Another concerning consideration is at the age of FB users that adopt the described technique, youngster make large use of the above script to increase their popularity on Facebook.

But the threats to Facebook users aren’t finished, the revelations about PRISMthe PRISM surveillance program disclosed the collaboration of the social media giant with the NSA that caused a fall in the trust of netizens in the FB brand. New dark clouds on the horizon for FB users’ privacy, rumors are circulating on the Internet regarding new features that Facebook wants to deploy, the social networking platform is testing a new feature that would allow it to Track user’s cursor on screen. Where the user moves the cursors and for how long, Facebook will know it and it will also see whether a user’s news feed is visible at any given moment on their mobile devices according to the Wall Street Journal.

Facebook’s analytics chief, Ken Rudin, declared the acquired information would be stored in a nearly endless range of purposes, including product development or more precise advertisement targeting … Nothing more.

Let’s remind that Facebook already collect an impressive data about its users and has technology to archive and elaborate them in a sophisticated and efficient way … Do we really want to give up our privacy to be part of the “carnivorous” network?

Will Facebook be able to protect them from ingerent government request and bold cybercriminals.

Do we really want to give up our privacy to be part of the “carnivorous” network?

We must be prepared … social media are a paradise for hackers and snoops.

Pierluigi Paganini

(Security Affairs – Facebook, I like script)




November 8, 2013

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...