Likejacking is a social engineering attack that tricks social media users into liking a page or post without their consent. It is a specific type of clickjacking that exploits Facebook's "Like" button to artificially inflate engagement or spread malicious content. Marketers and developers must understand this technique to protect their site's reputation and ensure social signals remain authentic.
What is Likejacking?
Likejacking, a portmanteau of "Like" and "Hijacking," is categorized as a user interface (UI) redress attack. An attacker overlays a transparent layer containing a hidden Facebook "Like" button over an enticing piece of content, such as a viral video or a shopping offer. When a user clicks to play the video or buy an item, they unknowingly trigger the hidden Facebook button instead.
The term began gaining significant traction after Corey Ballou used it in a 2010 article describing malicious activity surrounding social buttons. While the technique is most commonly associated with Facebook, it can apply to any social networking feature that uses one-click interaction.
Why Likejacking matters
Likejacking impacts both user security and the integrity of digital marketing metrics.
- Algorithmic manipulation: Facebook's algorithm prioritizes popular content. Unauthorized likes increase the visibility of malicious posts, causing them to spread further across the platform.
- Viral propagation: When a user "likes" a page through this attack, the action appears on their profile news feed, exposing their entire friend network to the same scam.
- Security risks: Attackers often use the initial "Like" as a gateway to spread malware, collect personal data, or drive traffic to malicious sites for financial gain.
- Account reputation: For brands, being associated with likejacking can lead to account suspensions or a total loss of user trust.
- Monetization fraud: Scammers use these techniques to monetize click-throughs through CPA (Cost Per Action) affiliate networks.
How Likejacking works
The attack relies on the browser's ability to render transparent layers and iframes.
- Setting the trap: The attacker creates a website featuring high-interest content, such as a viral news item or a "Not Safe For Work" (NSFW) image.
- Layering the UI: The developer uses CSS or JavaScript to hide a Facebook "Like" button inside a transparent iframe. This invisible frame is positioned directly over a visible call-to-action (CTA), like a "Play" button.
- The unwitting click: A user, logged into their social account in another tab, clicks the visible content. The browser applies this click to the hidden iframe.
- Social propagation: The "Like" is recorded on the user's profile. Their friends see the activity, click the link, and the cycle repeats.
Likejacking vs. Clickjacking
All instances of likejacking are clickjacking, but not all clickjacking is likejacking.
| Feature | Clickjacking (General) | Likejacking (Specific) |
|---|---|---|
| Primary Goal | Intercepting any click for any action. | Forcing a social media "Like." |
| Common Target | Purchase buttons, settings, or deletes. | Facebook "Like" or social buttons. |
| Method | UI Redressing (transparent layers). | Social button iframes. |
| Viral Element | Usually low; depends on the action. | High; utilizes friend feeds. |
Prevention and best practices
Preventing these attacks requires a combination of server-side configurations and browser-side detection.
Implement X-Frame-Options headers
Use the X-Frame-Options HTTP header to control whether your site can be embedded in a frame. Setting this to DENY or SAMEORIGIN prevents external sites from loading your pages in hidden iframes. This partial protection was introduced in Internet Explorer 8 and later adopted by all major browsers.
Use Content Security Policy (CSP)
The frame-ancestors directive in a CSP is the modern standard for preventing UI redressing. It allows you to whitelist specific domains that are authorized to embed your content.
Utilize Intersection Observer v2 This API helps developers detect if an element is actually visible to a human or if it is being obscured. Google Chrome 74 enabled Intersection Observer v2 by default in April 2019 to help widgets detect when they are being covered by another layer.
Install security extensions Users can protect themselves with browser add-ons like NoScript. Its ClearClick feature, released in 2008, analyzes the visibility of elements and prevents clicks on hidden or "redressed" items.
Common mistakes
- Relying on JavaScript "framekillers": Mistake: Using simple JS snippets to break out of frames. Fix: These are often bypassable in certain browsers; use HTTP headers like CSP or X-Frame-Options instead.
- Assuming HTTPS provides protection: Mistake: Believing that an SSL certificate stops UI redressing. Fix: Likejacking is a front-end interface issue, not an encryption issue; specific headers are required.
- Ignoring mobile-specific UI: Mistake: Forgetting that "toast" notifications on mobile can also be used for clickjacking. Fix: Ensure mobile UI elements do not overlap with critical CTAs.
FAQ
What is the origin of the term "Likejacking"?
The term is a blend of "like" and "hijacking." It was popularized around May and June of 2010 when viral clickjacking worms began hitting Facebook. It specifically describes the use of Facebook's social plug-ins for malicious redirection or engagement.
Can Likejacking happen if I am not logged into Facebook?
The attack usually requires the user to be authenticated in their browser. If you are not logged in, the "Like" button in the hidden iframe will not have the authority to register a like to your specific account.
How do attackers monetize these illicit likes?
Attackers drive traffic to pages where they can monetize visitors through CPA affiliate media, sometimes targeting specific IP addresses from countries like Germany, Finland, or Spain to maximize revenue from specific advertisers.
Are there any official solutions from Facebook?
According to reports, a solution to likejacking was developed during one of Facebook's hackathons. Additionally, Facebook's algorithm and security systems now work to detect and mitigate viral patterns associated with these automated attacks.
Is Likejacking limited to the "Like" button?
While named after the "Like" button, the same technique can be used for "Follow" buttons, "Share" buttons, or even Google+ buttons (when they were active). Any third-party social element implemented via iframe is potentially vulnerable if not properly defended.
