Another click-jacking scam hits Facebook

Yet another click-jacking scam has been spreading across Facebook, leading unsuspecting users to sign up – and pay for – a $5 per weekphone service.

The scam starts by presenting the opportunity to see the ‘Top 10 Funny T-Shirt Fails ROFL’.

The page then asks the user to fill in a survey to verify that they are a real human being. But the ‘next’ button provided is actually a dummy, hiding an only-too-functional ‘share’ button, so that the page is posted to the user’s wall. Only browsers running No Script show the ‘share’ button.

Next come the questions purporting to be a verification tool. One request is for the user’s cellphone number – and, when this is provided, the users is automatically signed up for the phone service.

The small print reads: “This is an auto renewing subscription service that will continue until canceled. To cancel the service at anytime Text STOP to short code. Available to users over 18 for $5/Week charged on your wireless account or deducted from your prepaid balance.”

“The whole purpose of having them spread this threat virally is to get as many people as they can to fill in these surveys for monetary gain,” says Sophos researcher Onur Komili.

“Unfortunately most people won’t read the fine print and will willingly hand over the information, and likely won’t notice the charges until the end of the month.”

Facebook has already pulled the offending pages, but Sophos says users should check their walls to make sure no links remain.It’s the second such scam in a week to hit Facebook. On Monday, security researchers described how a ‘dislike’ button link was being used to tempt unwary users. That, too, asked users to fill in a survey, using the ‘like’ button to spread.