Earlier today we have seen a new Facebook clickjacking scam which spreads quite fast.
I KNOW WHEN YOU LOOK AT MY PROFILE USING THIS: http://bit.ly/<removed>
NEW! See who views your profile!
www.<removed>.com
Do you want to know who is looking at your photos right now? Find out who looks at your profile the most and what they look at!
or other variant even more provocative:
CLICK HERE TO SEE WHO IS STALKING YOU: http://bit.ly<removed>
NEW! See who views your profile!
www.<removed>.com
Do you want to know who is looking at your photos right now? Find out who looks at your profile the most and what they look at!
Once you click on the shortened link, you get redirected to a page hosted on Amazon cloud (https://s3.amazonaws.com/…) and then again to another site to be again redirected to the final page. This is probably the most well instrumented clickjacking attack which we’ve seen so far.
The intermediate website hosted on the Amazon cloud is a very nicely crafted redirector written in Javascript in order to obfuscate the output:
The final page promises you loud and clear that you can see who is viewing your profile.
In order to increase the curiosity, there are two posts below the button, which is actually a static screenshot:
Once you click on the button, the website tries to download a so called extension. In the screenshot you can see how this works on Google Chrome. In Firefox you’re asked if you install an extension.
We reported the scam to Facebook and to Amazon in order to stop this from spreading.
Our VirusLab is currently analyzing this extension and we will post more details soon.
Until then, don’t let yourself be fooled:
There is no way you can see who is viewing your profile!
Update:
The so called extension which this scam tries to install in the browser is being detected by all Avira products as “JS/Scam.A” and all URLs used in the scam have been blocked. To benefit from this additional security measure simply update your Avira antivirus product.
Sorin Mustaca