A clickjacking worm that forced hundreds of thousands of unsuspecting Facebook users to unknowingly post spam messages on their profiles, rapidly spread through the social networking website. The worm used catchy news headlines to lure its victims into the trap.

Clickjacking is a Web attack technique that involves hijacking the users mouse clicks on a page and using them to trigger unauthorized actions. The attack is technically known as user interface (UI) redressing because it hides a clickable object, such as a button, by making it transparent and superimposing it over a non-dangerous looking one.

The latest Facebook worm seems to be a proof of concept, becuase it does nothing destructive and its only purpose is to propagate. The offending messages posted on its victims' profiles are based on real and catchy news topics from the past several months. "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School", or "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" are some of the examples.

Clicking on the messages takes users to external pages hosted at blogspot.com, which only display a text that reads "Click here to continue." However, clicking anywhere on the page abuses a user's active Facebook session to publishing a spam message back to his profile.

To protect themselves, Mozilla Firefox users can install and use NoScript, a browser extension, which includes protection against clickjacking attacks.

Ref: http://news.softpedia.com/news/Clickjacking-Worm-Hits-Facebook-143463.shtml