This Cheerleaders Gone Wild clickjacking attack hid behind a fake content warning.
A new clickjacking scam was spreading on Facebook luring victims with a
purported video of "cheerleaders gone wild," a security expert warned on
Thursday before Facebook shut the attack down. Victims' accounts
were posting messages that said "cheerleaders gone wild - have to see
this" with a photo of, you guessed it, a cheerleader carrying pom poms.
Clicking the link led to a warning that the content may be inappropriate
for some users and prompted users to confirm that they are 18 or older,
said Graham Cluley of Sophos, who bravely clicked the link for research
purposes only, of course.
Another warning then popped up
pretending to be an antispam mechanism that asked the user to click
three buttons numbered 1, 2, and 3 in a specific order. Once that was
done and the "submit" button was clicked, the user's account then
submitted that it "likes" the Cheerleaders Gone Wild page and that
message was broadcast from the victim's account to his or her newsfeed
for all friends to see, Cluley said.