Who visited your Facebook Profile

Facebook LogoThis is something many people seem to find really really interesting: There are social networks out there which do show who visited the user profiles. But Facebook doesn’t offer this feature – they even officially mention that in the Facebook help. But as people want to know, they often click on these links that others share, which promise to show a list of visitors of the own Facebook profile.

Facebook Clickjacking: Who visited your profile?

These are fake links, of course. Usually, they are part of a so-called Clickjacking attack – users get redirected through one or more web pages and maybe even need to click somewhere else, allegedly to finally show the results like visitors of the profile or promised gifts, pictures, videos and so on. But this is nothing more than a Facebook scam or even worm. After clicking the link it gets access to the users’ friends list and virally spreads the infectious link. As Facebook doesn’t offer any statistics about visitors, sometimes these worms even spoof a statistic out of random contacts of the user to hide their malicious intents and activities.

Facebook Clickjacking: Leads in the recent activitites

In the “recent activities”, the user can see the damage the Clickjacking-worm has done: It posts the malicious link on the walls of the users’ friends. If one fell victim for such a link, it is a good idea to take one of the entries and to choose not to remove it only, but to mark it as spam and to send the message to Facebook. The company seems to react quite fast on such messages and to remove them completely then.

But even if Facebook reacts fast, it is not fast enough. Other users will for sure click on that link, too. The user should thus check the profile and the friends walls for any entry of oneself which shows this link, and then remove it.

Of course, additional software like the NoScript extension for Firefox can help preventing such Clickjacking attacks; measures taken by the web browsers don’t seem to help much, currently – at least, the Clickjacking attacks don’t work as automatic worms though. For those interested, Wikipedia has some background information about these counter measures.

In the end, users should not click on links which promise something which should be impossible. Or promise something incredible cheap. There is nothing like a free lunch, this holds true for the Internet as well. Keeping this in mind will prevent most of these attacks.

Dirk Knop
Technical Editor

Sorin Mustaca
Data Security Expert
techblog.avira.com