A new worm is being distributed through Facebook via the “Like” feature. The attack has hit hundreds of thousands of users and uses a combination of social engineering and click-jacking to make it appear as if a user has “liked” a link.
The messages that are being used in the link text include, “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE,” “This man takes a picture of himself EVERYDAY for 8 YEARS!!,” “The Prom Dress That Got This Girl Suspended From School” and “This Girl Has An Interesting Way Of Eating A Banana, Check It Out!”
When a user clicks on the text that appears to be “liked” he is taken to a blank page that just has the text, “Click here to continue.” Clicking anywhere on that page will then publish the same message to that users Facebook page.
This worm is extremely similar to the Fbhole worm that spread across Facebook 10 days ago. Because users unwittingly end up recommending the offending page to their social graph, this is the type of worm that can spread extremely quickly.
The Troj/iframe-ET worm has been identified the linked as the infection in the pages. It doesn’t appear as if the worm does anything other than add likes to your feed, but if you’ve been infected, you’ll still want to take action.
Please delete any entries in your news feed related to the links and check your profile and info pages to make sure that no links or pages related to those sites have been added to your profile.
via Sophos Blog
