Once clicked on, these links can lead to another tab with a play video button, where the content may load. Or, it could lead to a request for the user’s name, birthday, and email address as a prerequisite for watching the video—especially if it contains content meant for the twenty-one (21) and over crowd. Then, it may or may not deliver the promised entertainment. What it will deliver, however, is a public “like” from the user on the sponsored Facebook page and on the user’s wall so their friends can also see the “like” as a form of advertising. This is LIKEJACKING.
How does this happen, especially if the user does not click on a like button? When a victim clicks on the link to watch a video, two screens load. In one, everything appears normal. Under that is another screen (unseen by the victim) containing sub-code that includes hidden like buttons masked by normal, functional buttons. For example, pressing the play video button may actually show as a like, but the user will not know it.
Likejacking is an invasion of privacy because it reveals, or simulates, a user’s online habits without permission. After all, showing that one likes salacious content could be embarrassing or detrimental to one’s reputation. It could also lead to inaccurate depictions of oneself, as in the case of a leading member of a political party who watched a video from another political group and was likejacked into giving what appeared to be support for a candidate with opposing views.
The purpose of stolen “likes” is to generate traffic and along with it, ad revenue. Because people are more likely to trust endorsements from friends, they may try to view the content shown on their news feeds. Much like a computer virus, this content spreads exponentially as the web of likes increases. For each view of the content, ad revenue is generated, so the more views the better. The more unsavory sites that request personal information also have the added bonus of harvesting names to sell for additional advertising or for use in identity theft operations.
Facebook has applied preventive measures to thwart likejacking, but have not been 100% successful. In some cases, when a user likes a product, Facebook will ask for verification before posting it. But as always, the bad guys will try to find a workaround. One tactic used by professional likejacking teams is the creation of a website to lure users to click hidden buttons. After this, a new domain is purchased so that a copy of the main website can be pointed to it. The copy website is then published, and when it raises a red flag, it is easily taken down with a new “burner” website ready to take its place.
In order to combat this, Facebook has required that a website must be live and in its current form for four (4) weeks prior to adding advertising content. How-to videos and message boards abound with tutorials and tips for likejacking content. The next time you see a video on your newsfeed, ask yourself if you really care about its content; it could save you from unwittingly advertising a product that you otherwise wouldn’t want to be associated with.