New Facebook worm - don't click da' button baby! - AVG Blogs

11/23/2009

New Facebook worm - don't click da' button baby!

Thanks to a tip-off from colleague Gadi Evron, I've just spent some time looking into the latest Facebook worm after he alerted Facebook about it.

Like so many past worms, this one uses a suggestive come-on to lure the unsuspecting into clicking a link, and after some behind-the-scenes shenanigans, it posts a link to the same lure page on the victim's Facebook wall, if the click-happy victim is currently logged into Facebook.

I'm not much of a Facebooker (in fact, only using it for investigating things like this!) but I've heard reports that this is working, as more and more folk's walls start to look something like this:

For those unfamiliar with Facebook (is there anyone other than me in that set?) the thumbnail of the worm's infective page is a link to the page. The worm's objective, of course, is that others viewing the victim's wall will click the link, and as they are logged into Facebook, the worm will propagate its link to that victim's wall, and so on...

How does this all work? Rather simple really and something Facebook needs to fix.

This worm uses what is technically known as a CSRF (Cross-site Request Forgery, also called XSRF) attack. A sequence of iframes on the exploit page call a sequence of other pages and scripts, eventually resulting in a form submission to Facebook "as if" the victim had submitted a URL for a wall post and clicked on the "Share" button to confirm the post.

So, at least until Facebook fixes its side of the problem here, be especially careful in which buttons you decide to click, baby!

Share | |

Posted at 02:07 AM | Permalink

Technorati Tags: Facebook, Facebook hacked, Facebook worm, hacking Facebook, new Facebook worm, new worm on Facebook

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e5539a10418834012875c795d3970c

Listed below are links to weblogs that reference New Facebook worm - don't click da' button baby!:

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Thank you for posting this critical information. And yet just another reason why I trust AVG on all of my computers.

Posted by: Jkvirtualoffice | 11/23/2009 at 10:24 PM

awesome info! linked via my facebook ;)

Posted by: n3tfury | 11/23/2009 at 11:25 PM

Seen that.
Nothing NoScript addon for Firefox couldn't handle however.

Posted by: daveyy, | 11/24/2009 at 12:18 PM

Thank you for posting this important info.

Posted by: comvision | 11/24/2009 at 03:40 PM

hey man! thanks for the information!!! =]]
have a great day =]

Posted by: ba li banana | 11/24/2009 at 06:29 PM

thank you 4 posting..ill be careful!^^

Posted by: michelle | 11/26/2009 at 03:17 AM

How do I update my virus Program
on AVG 9.0?

Posted by: david silcox | 12/07/2009 at 05:50 AM

really nice to know there is still someone like you watching out for others!!!! thanks! keep on doing what u are doing!

Posted by: walter burrows | 12/17/2009 at 12:40 AM

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.