TLDR;

A Javascript trick that causes unsuspecting users visiting a given site to "Like" a Facebook page. Presumably to drive traffic and rankings for that page. An important concept to note: this type of click-jacking could be much more malicious than a "Like" on Facebook, but this relatively harmless example is a good POC.

Facebook Auto-Liker

This post is describe a simple, yet relatively effective, Javascript trick to drive up likes on a given Facebook page. This sample was obtained in the wild. At the time of writing, it is live here (obviously this is a risky URL to visit):

http://www.myhealthteam.com.au/

That site does not appear to be affiliated with the Facebook page in question, so that may indicate a compromise of some sort. The Facebook page that is affiliated with the "Like" is:

https://www.facebook.com/mypassionlove12

To the unsuspecting user, they may not notice that their click, anywhere on the page, is being hijacked to "like" a Facebook page. This site's attempt is rather poor, given that the tool-tip for the button is still displayed:

This tooltip appears anywhere you hover on the page. If we inspect the element, we can see we are actually hovering on a hidden DIV that contains the Facebook "Like" widget Iframe. The div follows the mouse anywhere on the page. If we expand the width and height of the div and increase the opacity, the "Like" button is revealed:

This particular technique is well known, and many AV vendors will flag it.

Auto-liker - VirusTotal

The Code

This technique is extremely simple. The Facebook "Like" widget is declared inside a Div element with CSS styling that hides it from view. Notice the cross-browser opacity elements in the style attribute.

The simple Javascript below shows how the "Like" button is moved around with the cursor. I fixed the atrocious formatting form the original file, and added comments to explain the code:

Conclusion

If a user was logged into Facebook already, which is likely for anyone who uses, the "Like" would open a dialog from Facebook prompting them to confirm, rendering the surreptitious click-jack basically useless.

A hijacked click could be much more dangerous, which is why it is important to take notice of these types of techniques.

Get honeypotted? I like spam. Contact Us Contact Us Email Email ar.hp@outlook.com email: ar.hp@outlook.com