We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Facebook worm spread by clicking scantily-clad woman pic

Virus could be spread by clickjacking or cross-site request forgery

A worm, which spreads when socila networkers click on an image of a scantily clad woman, is infecting Facebook users, says AVG.

The worm posts an image on a victim's wall with a photo of a woman in a bikini and the message 'click 'da button, baby'. Wall posts are viewable by a Facebook user's friends.

If a friend clicks on the image and is logged into Facebook, the image is then is posted to their own wall. Their web browser will then open a web page with a larger version of the same image.

A further click on 'da button' redirects the friend to a pornography site, according to Roger Thompson chief research officer for antivirus vendor AVG Technologies. Thompson posted a video of the attack on his blog.

The creators of the worm are likely making money by driving referrals to the pornography site, said Nick FitzGerald, a threat researcher for security vendor AVG.

Researchers aren't quite sure exactly how the worm works but believe it may be a cross-site request forgery attack (CSRF) or a clickjacking attack or a mix of both.

A CSRF attack occurs when a victim's credentials are used to perform some action but without their knowledge. In this case, the attacker fraudulently posts the image to the victim's Facebook Wall, piggybacking on the fact the victim is logged into their account.

Another possibility is clickjacking, where attackers use special web programming to trick victims into clicking web buttons without realising it.

Clickjacking is possible due to a fundamental design feature in HTML that allows websites to embed content from other web pages.

Web browsers are vulnerable to clickjacking attacks, although browser makers have worked to shore up defenses against them.

Facebook classifies the attack as clickjacking, an attack that is "not specific to Facebook", according to  the social network. Facebook also said the attack was not a worm.

"We've taken action to block the URL associated with this site, and we're cleaning up the relatively few cases where it was posted," Facebook said. "Overall, an extremely small percentage of users were affected."

If the worm does spread through a clickjacking attack, "it may be difficult for Facebook to fix reliably", FitzGerald said. "Regardless, it is a worm."

Facebook warned users not to click on suspicious links. However, in this case, the link doesn't stand out as necessarily suspicious given the variety of wall postings, graphics and applications that appear all over the popular social-networking site.

In fact, one security researcher inadvertently reposted the suspect graphic before realising something wasn't right.

"This shows that even experts can become complacent and trust systems when they really shouldn't," wrote Gadi Evron, an independent security researcher, on Dark Reading's blog.

Broadband speed test

PC security advice

See also: Facebook launches legal action against uSocial


IDG UK Sites

Moto G2 (2014) vs Moto E comparison review: New Moto G is worth the extra cash

IDG UK Sites

Is Apple losing confidence in itself?

IDG UK Sites

Oculus Rift 'Crescent Bay' prototype hands-on: it's an amazing experience

IDG UK Sites

How (and where) to buy an iPhone 6 or iPhone 6 Plus in the UK. Plus: What to do if you pre-ordered...