“Who wouldn’t want to have more likes on their Facebook page?” This is the motivation of a very trivial code to get more likes, but while other methods usually comprise of adding better content or advertising, this one is a bit easier, and much dirtier. Why not show the like button directly beneath your mouse cursor as you browse a website, make it invisible, and move it as you move your mouse?
The only thing the victim has to do is click; if they are logged in to Facebook, they will automatically like the Facebook page. And of course, it is not only about the number of likes, but each like means the victim will get all the information about this page on their news feed (until they unlike the page), and all friends will also see that you like it – so why not check it out themselves?
This method is possible due to Like Button, a social plugin for Facebook, made by Facebook developers. It is used properly on many legitimate sites, but when combined with CSS hiding and JS moving, the victim has no other chance. If you want to know how to minimize the impact of such tactics, or if you are more into technical details, read on.
At the start, a wrapper div element is created, in which there is a link (sometimes an iframe) to a Facebook like button.
The wrapper with the like button is of course made transparent in the wild by these CSS properties, so that you do not see it:
- opacity: 0;
- filter: alpha(opacity = 0);
- -ms-filter: 'progid:DXImageTransform.Microsoft.Alpha(Opacity=0)';
Here you can see one of the samples in the wild:
We are very surprised to see so little obfuscation, the code is very readable and almost self-explanatory – it even contains functions like ClickJackFBShow();. We expect the code to become much more obfuscated, as more and more antiviruses start to detect this malicious code in the future.
We would expect this technique to be used together with social engineering; the bad guys could post links to exploit kits on other people's news feed and convince the victims to click them. However, what we do see in the wild is just a very large amount of 15-year-olds utilizing this code on their websites for the sake of getting more attention on Facebook.
To get rid of this unwanted advertisement, open your Facebook and click on your name in the top left, then select “Activity log”. Then you can see your activity on Facebook. If there is something suspicious, something you are not aware you really liked, just click unlike and it will bother you no more.
Avast! detects this behavior as JS:Clickjack-*.
Samples on Virustotal: