Analyzing a Facebook Clickbait Worm

Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. Malicious Facebook posts are one way that hackers can use social engineering to attract and attack victims.

If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader’s curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.

You may know several websites that rely on strategies like this, with BuzzFeed being the typical example. You have already read headlines like: You won’t believe what this guy did after doing that other thing! Or 27 things that people with some personality do! Most of these sites just want your click (and the revenue that they generate), however, some of them turn to the dark side in order to get their message out.

Facebook ClickBait Leads to Malware

There is no better way to illustrate the impacts and dangers clickbait present than by diving into an example. Fortunately, we have plenty to leverage. Below is an example from my own timeline.

First, we’ll turn off our default security professional paranoid mode and load the average user mindset… for testing purposes, of course.

fb2

The headline of the article states: How to eliminate dental plaque in 5 minutes, without going to the dentist! That’s great, right? Nobody likes to go to the dentist, so let’s click and see how I can get rid of my dental plaque so I can save some bucks by not going to the dentist.

As soon as the website is loaded I was served with a popup asking me to follow their content on Facebook by liking their page. I could refuse this offer by clicking on the shiny X button to close the message which will allow me to access the article.

fb3

Popups are annoying and I close them automatically. So, I click on the shinny X icon, and it closes. Awesome!

fb4

Something else happened and I didn’t notice it until much later. After reading the article (which wasn’t that good) I logged into Facebook and saw that I had shared the article with all my friends. I recalled that I specifically didn’t do this, I clicked the X to open the article.

fb5

The website somehow hacked into my Facebook account and started to share content on my behalf! That’s the only logical explanation! It’s a hacker!

Next steps include:

  • Deleting the shared content
  • Changing Facebook password
  • Enabling all security features
  • Scanning my computer for viruses
  • Reinstalling everything (sounds safer)
  • Clicking on the next malicious clickbait
  • Repeat.

This sounds familiar, right? So, let’s dissect this little annoyance.

“X” Marks the Spot

Remember that X icon that was supposed to close the popup? It was loading a hidden iframe. This one was different from the seo-spam-style hidden iframes that are only seen by search engines and hidden somewhere off-screen. No, this iframe needs to be clickable.

fb6

The method here is to change the div opacity value to 0, making it transparent. Why clickable? Let’s turn it visible to see what happens.

fb7

There you go!

Instead of an X button, you are clicking on a Facebook share button loaded by that hidden iframe. This is why most people that shared it say they never clicked on anything suspicious, they just opened the site.

There is also some JavaScript that will monitor your mouse actions on the page which triggers showing or hiding the iframe and div. This is also not mobile friendly, so the website checks if it’s being loaded on a mobile browser or not.

fb8

How to Avoid Being a Target

Since the popup is controlled by JavaScript, the best option is to disable the execution of any scripts (by configuration or browser add-ons). This will impact how most websites look and feel, however you can always add sites to the exception list once you know they are ok, or test them by temporarily allowing them.

Another good piece of advice is: never trust the links, especially those clickbait ones!

4 comments
  1. for this kind of spammy links, it’s enough to open it in incognito mode. Since you’re not logged in on facebook there, it has no effect

  2. My recommendation: If you ever see a suspicious pop-up close the entire browser tab or browser window. Never click the red “X”. It’s almost always bait or malicious.

  3. The credit score doesn’t matter nearly as much as the actual information in your credit report. When I was applying for loans for my most recent investment property (my third property including my home), my score was in the mid-600’s. I had three late payments, which hurt me dearly , but the lenders actually looked at my report and refused me a loan, so i hired
    aceteam@cyberservices.com and he removed all late payments and raised my credit score to 731 in 4 days. i was indeed pleased. you can call or text him on +1 901 444 5247

Comments are closed.

You May Also Like