Clickjack scams are ways exploiters use to trick users into spreading worms, generally used in social media networks, often for financial gain. Webopedia defines a clickjack as "a vulnerability used by an attacker to collect an infected user's clicks. The attacker can force the user to do all sort of things from adjusting the user's computer settings to unwittingly sending the user to Web sites that might have malicious code." 1

Over the years social media websites, such as Facebook and Twitter, have frequent targets for clickjack frauds. Exploiters are fond of releasing exploits on social media websites because of the large number of members in the network. Couple this with the ability to spread a scam fast and in real time - it provides a pretty good chance of a pay-off for swindlers.

While clickjacking is not a new scam, reportedly it is on the rise due to the fact its an easy moneymaker for scammers. 2

How Clickjacks Bait on Social Media

Typically, the clickjack scam targets a celebrity or current event. Or the post may say something so outrageous that it entices other network members to click. Once a person clicks, the link is shared with everyone in the network and the worm propagates.

Past clickjack scams have given titles such as "The Prom Dress That Got This Girl Suspended From School", "OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile!," and other sensationalist tidbits that are designed to bait and lure user into their crafty virtual and, usually, malicious web. While these have been known for years, fraudsters are using all sorts of newer tactics to scam people.

Mobile apps for social media
Credit: Jason Howie via Flickr/CC by 2.0

Even if a handful of people on social media take the clickjack bait, it's a lucrative operation.

Those popular quizzes are even a concern. In January 2016, the Better Business Bureau (BBB) warned the public about IQ tests circulating on social media giant Facebook (a site that many scammers love to exploit due to the huge membership - a big payoff even if a small percentage of people click).  One of the IQ tests asks for a cellphone number in order to get test results. What happens next is the victim will start to get spam texts, banner ads and monthly charges on mobile bills. BBB said these charges are $9.99 and upwards. 3

Video Clickjack Scams

A current and oft-trendy scam, video clickjack worms have been largely let on the loose in recent years. A few years back Facebook got hit by three in succession. One was the "Casey Anthony confession scam", and another promised to show a live unfolding of the tragic bombing and shooting in Oslo, Norway. Around the same time period, scammers released a purported video that was Amy Winehouse's "hours before death" video. 

In 2011, security company Sophos reported scammers tried to impersonate BBC News reporting Lady Gaga's death in a hotel room, which was in reality yet another clickjack scam.

While some worms lead to malware infections with eventually ID or financial theft, other clickjack scams go straight for the immediate financial gain. In the case of most of those video scams, exploiters were making money by convincing users to take fake surveys prior to being shown the video and once they clicked the link, they didn't get a video, but spammers did sent out spam, courtesy of the social media user.

YouTube logo with flames
Credit: Maurits Knook via Flickr/CC by 2.0

Scammers love to pretend their links lead to a sensational YouTube or other online video. Sometimes scammers will  set it up so people who attempt to view the video need to download an "update" to software. Payoff for the scammer because there is no update, but they did convince the user to download something not so nice.

The Invisible Worm

Crafty scammers will also use other software programs, such as Adobe Flash or Javascript, to place a fake button over or under a legitimate button, such as a Tweet or Like button, making the clickjack difficult to see.

For instance, in 2010 Facebook's Like button was exploited and many users were posting links on their profiles that made it appear they liked a particular web page and invited their friends to come view the link as well.  Instead, what happened was the users unknowingly posted spam messages on their websites and, as a result, the worm spread rapidly.  In this case the lure was catchy news headlines, which of course, turned out to be fake links and instead shared malware with friends rather than news.

social media sharing cloud
Credit: Geralt via Pixabay/CC0 Public Domain

Twitter is also not immune, just this past January the network was exploited by using a popular link shortener service. ZDNet reported in 2011 [the scammers] "using Google’s redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign." 6

This one spread like wildfire through the network.

Fast forward to January 2016 and security company MalwareBytes reported exploiters are even abusing the EU's new cookie law.

"While simple, this technique, also known as clickjacking, is pretty effective at generating clicks that look perfectly legitimate and performed by real human beings as opposed to bots, " MalwareBytes said in its report. "This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic."

Yes, the clickjack scams are alive and kicking. 

Be Proactive, Not Reactive

Play it smart and never "react" on social media without taking a few minutes to think about it, even if the post is "shocking".  The best way to avoid becoming a victim of a clickjack is to be careful with links, learn what clickjacking is, and keep a close eye on your social media profiles/pages to make sure nothing odd shows on your personal page from friends or from yourself.

Additionally, if a link appears in your feed that is written in a sensationalist manner, "breaking news" or just some comment that is totally off the wall, always check your friend's profiles to see if the link has been listed dozens of times; this is usually a clear warning flag that friends in your network have fallen victim to a fast-spreading clickjack worm. 

Also do a look for this news on your favorite search engine before hitting Like, retweet or giving the link a click. If the news is truly happening, legitimate websites will be reporting it. Most news doesn't break on social media and, although it is true sometimes it is, other news sites will be reporting it anyway. It's also a good idea to shoot your friend a quick message and ask him or her if he or she intentionally shared the link.  This way you can confirm and/or alert your friend he or she has fallen victim to the scam.

Unfortunately, clickjack scams are more than likely here to stay. Keep in mind, not unlike other scams, the schemers are getting savvier too.  However, with a good eye and keeping yourself armed with latest information you can better protect yourself.