Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. Malicious Facebook posts are one way that hackers can use social engineering to attract and attack victims.
If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader’s curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.
You may know several websites that rely on strategies like this, with BuzzFeed being the typical example. You have already read headlines like: You won’t believe what this guy did after doing that other thing! Or 27 things that people with some personality do! Most of these sites just want your click (and the revenue that they generate), however, some of them turn to the dark side in order to get their message out.
Facebook ClickBait Leads to Malware
There is no better way to illustrate the impacts and dangers clickbait present than by diving into an example. Fortunately, we have plenty to leverage. Below is an example from my own timeline.
First, we’ll turn off our default security professional paranoid mode and load the average user mindset… for testing purposes, of course.
The headline of the article states: How to eliminate dental plaque in 5 minutes, without going to the dentist! That’s great, right? Nobody likes to go to the dentist, so let’s click and see how I can get rid of my dental plaque so I can save some bucks by not going to the dentist.
As soon as the website is loaded I was served with a popup asking me to follow their content on Facebook by liking their page. I could refuse this offer by clicking on the shiny X button to close the message which will allow me to access the article.
Popups are annoying and I close them automatically. So, I click on the shinny X icon, and it closes. Awesome!
Something else happened and I didn’t notice it until much later. After reading the article (which wasn’t that good) I logged into Facebook and saw that I had shared the article with all my friends. I recalled that I specifically didn’t do this, I clicked the X to open the article.
The website somehow hacked into my Facebook account and started to share content on my behalf! That’s the only logical explanation! It’s a hacker!
Next steps include:
- Deleting the shared content
- Changing Facebook password
- Enabling all security features
- Scanning my computer for viruses
- Reinstalling everything (sounds safer)
- Clicking on the next malicious clickbait
This sounds familiar, right? So, let’s dissect this little annoyance.
“X” Marks the Spot
Remember that X icon that was supposed to close the popup? It was loading a hidden iframe. This one was different from the seo-spam-style hidden iframes that are only seen by search engines and hidden somewhere off-screen. No, this iframe needs to be clickable.
The method here is to change the div opacity value to 0, making it transparent. Why clickable? Let’s turn it visible to see what happens.
There you go!
Instead of an X button, you are clicking on a Facebook share button loaded by that hidden iframe. This is why most people that shared it say they never clicked on anything suspicious, they just opened the site.
How to Avoid Being a Target
Another good piece of advice is: never trust the links, especially those clickbait ones!