Israeli security researcher Gadi Evron and AVG researcher Nick Fitzgerald are reporting a new Facebook worm that uses a suggestive picture of a scantily clad woman to spread on the social network.
The picture includes a button and the phrase “Click da’ button, baby!” Once a Facebook user clicks the malicious link they are brought to an attack website landing page which automatically updates and copies the victim’s Facebook wall with the malicious link. It also copies the wall.
In blog posting Evron said he stumbled across the Facebook attack after he was tricked by a posting of the link on a friend’s Facebook wall.
This shows that even experts can become complacent and trust systems when they really shouldn’t. It’s a good reminder for me to be more careful with social networks, which for some reason I have grown used to trusting more, without even noticing it happen!
Fitzgerald wrote that the worm uses a cross-site request forgery (CSRF) attack “resulting in a form submission to Facebook “as if” the victim had submitted a URL for a wall post and clicked on the “Share” button to confirm the post.”