*Via SANS.
*Every time darkside hackers make up a new exploit, somebody's got to make up and promulgate a new name to the security community. "Like-jacking." You 'like' something on Facebook, you get hijacked.
*Did the malefactors who made this scheme up have a name for it? I mean, there must have been more than one of them, right? It had to be a collaborative effort. So what did they say to each other when they referred to that work? "Hey Kevin! How are things going on our 'like-jacking' project?" I mean, they had to call it something. These guys must have entire web-semantic glossaries by now.
–Click-jacking Attacks Spreading Through Facebook
(June 1, 2 & 3, 2010)
Click-jacking or like-jacking attacks are spreading through Facebook.
If Facebook users click on the specially-crafted links created to be
enticing, they are taken to a page that appears to be empty with a
message that instructs them to "click here to continue." An invisible
iFrame publishes the content, including the link, on the user's status
page. At the moment, the attacks are little more than a nuisance, but
they could be altered to be malicious.
Internet Storm Center: http://isc.sans.org/diary.html?storyid=8893
http://www.informationweek.com/news/software/hosted/showArticle.jhtml?articleID=225300286
http://news.bbc.co.uk/2/hi/technology/10224434.stm
http://www.theregister.co.uk/2010/06/01/facebook_clickjacking_worm/
http://www.computerworld.com/s/article/9177618/Facebook_likejacking_attacks_continue_with_flesh_appeal?taxonomyId=17
[Editor's Note (Pescatore): This type of "clickjacking" attack was
detailed back in 2008, but is really just a web-enabled variant of bad
user interface design. There are things web sites can do to minimize
this attack (like x-frame-options and other things) but most web sites
haven't done them. Even off the web, UI "overlay" issues have long been
the bane of trying to use digital signatures on PCs - how can you prove
what the user clicked on actually signed what they thought they were
signing?]
