New Facebook click-jacking scam spotted

Phony "like" attacks continue to plague social networking service.

Security researchers have spotted a new 'click-jacking' web scam on Facebook.

This week, security vendor Sophos issued a warning to users over what the company describes as a "likejacking" attack which spreads through the site's news feed and 'like' feature.

The attack appears as a link to a web page offering photos of the "101 hottest women in the world." Upon clicking the link the user is presented with a page which, when clicked, forwards the user to a third-party site.

In the process, however, the page also accesses the user's news feed without notification.

Clicking on the page activates the 'like' feature on Facebook which allows users to share pages. The page then appears on the news feeds of the victim's connections, spreading itself to a new crop of potential targets.

No actual malware code is installed to the user's system and the updates can be manually removed from the user's status feed.

According to Sophos senior technology consultant Graham Cluley, the scam is aiming to make money through generating advertising traffic, a process commonly referred to a 'click-jacking.'

The operation is not the first click-jacking attempt to spread via Facebook, and Cluley warned that the company needs to step up security measures if it want to slow the spread of similar operations.

"Facebook really needs to grab this problem by the horns, as it is increasingly being struck by clickjacking worms," Cluley wrote in a blog posting.

"The social network should tighten up the way it handles the 'liking' of external webpages before it is more widely abused by malicious hackers and spammers."