Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.

Well, think again. The cyber-criminals had a field day with it.

The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.

You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.

Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…

The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.

Trust no one and never click links until you are sure where they lead.

Yep, clickjacking is in the wild. I build, fix, and de-badware computers for family, friends, and businesses. I had a friend complain that his eBay page kept popping up with auctions when he hadn’t accessed eBay. So, dutifully, I went to see what was going on and found that he had been trawling through some [game] crack sites.

When he clicked some links, he would also pop his eBay page up (he had his eBay cookie set). Bingo! The crack-page vendors had scored his login details. I quickly apprised him of the risks of visiting said pages and, of course, quickly reset his eBay password and scanned, cleaned, and disinfected his computer.

Just yesterday, I received a report from another engineer at our office that he had witnessed a clickjacking attempt on his own machine when he clicked a button on an antivirus blog. Instead of going to the previous page, as expected, he receive a pop-up for the “Antivirus XP 2009” malware download. I had him disable IFRAME handling in Internet Explorer and install NoScript on Firefox. That fixed the issue.

There’s a much better approach, however: switch to Firefox and take advantage of the free Firefox add-on, NoScript. NoScript takes a “default deny” approach and prevents all scripts on a site from running unless you explicitly permit them.  NoScript is also effective against the latest clickjacking attacks. My article, “How to Protect Yourself from Clickjacking,” over at Dave’s Computer Tips describes the configuration options for both IE and Firefox with NoScript installed.

Switch to Firefox, install NoScript, and enjoy secure computing.

Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]

Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”

For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.

I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.