CSIS has observed how a new clickjacking campaign is spreading among incautious Facebook users. The bait has been seen before and the flypaper, although simple, is of the kind normally used to entice users into clicking on the contents.

This campaign is spread by means of clickjacking. Overlapping elements are used on an external website which lure the user into clicking on "Like", thus spreading the material to other users via the victim's wall.

We have seen the campaign being spread using the following bait:

OMG! This is what Happened to his Ex Girlfriend!
OMG! Look what he did to get revenge on his ex-GF!
En attente du partage ...

See below screen dump of the campaign in action. This is the content being posted on the users Facebook wall after the clickjacking:



The external link points to the website (spaces inserted by CSIS):

http://gator1848.hostg ator.com/~adil/ex2/

The content, however, is downloaded from the “cloud” at Amazon (spaces inserted by CSIS):

https://s3.ama zonaws.com/extherev/index.html

This refers to other websites from which content for the campaign is also downloaded (spaces inserted by CSIS)

http://xgf.shoc kingfbvideos.com/video2
http://seethexg fprank.com/img/play2.png
http://seethexg fprank.com/img/movie11.png



We have blocked these websites in CSIS Secure DNS, so Heimdal Pro and Corporate are also protected against this and similar campaigns.