blackhat-hack-clickjacking-social-media

Blackhat Hack: How to get thousands of real Facebook likes

Jerre Baumeister Blackhat, Growth Hack, SEO

In this blogpost I will show you how to use a technique called ‘clickjacking’ to gain thousands of real Facebook likes, Twitter Followers, Google +1’s, you name it. You could potentially use this hack to get every single visitor of your website to like your Facebook page without them even knowing.

But more importantly, I will also show you how you can prevent this from happening to your website. Be ready for some technical terms. In order to be able to follow this tutorial, you should at the very least have some basic knowledge of HTML.

And please, before you read any further, be sure to read and understand the warning below!

Warning: Clickjacking is an extreme blackhat practice. At TweetFavy we have never used, nor will we every use, any blackhat hacks or other such methods to gain exposure. We recommend you do neither! The information provided in this article is to be used for educational purposes only and to help protect yourself against such hacks. We are not responsible for any misuse of the information provided.

What the heck is clickjacking anyways?

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

For example, imagine a hacker who builds a web site that has a button on it that says “click here to go to Google”. However, on top of that web page, the attacker has loaded an iframe with a Twitter Follow button, and lined up exactly the “Follow” button directly on top of the “click here to go to Google” button. The victim tries to click on the link to Google, but instead actually clicked on the invisible Twitter Follow button. The victim now starts to follow the attacker on Twitter without even knowing it. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”.

Back in 2009, clickjacking made the news in the form of a Twitter worm. This clickjacking attack convinced users to click on a button which caused them to re-tweet a link to the malicious page, causing it to go viral.

Clickjacking was initially discovered by Robert Hansen and Jeremiah Grossman.

Digging in

In this demonstration, we are going to steal Facebook likes without the user knowing it.

In order to do this, we will be using a brand new tool called Quickjack (a brilliant but nasty tool by Samy Kamkar) to automatically generate the code that allows the victim to click anywhere on the page in order to get clickjacked. But before we can do any of that, we will have to create a like button.

 

Step 1: Creating a Facebook Like button

You can head over to this Facebook page which allows you to easily generate a like button. Make sure to disable the “Show Friends’ Faces” option, and don’t include the share button. Then click on the ‘Get code’ button.

 

facebook-generate-like-button

 

 

Step 2: Set-up a page for the Like button

Now that we have the code for the like button, we will need a page to display it on. Copy and paste the code you just generated on Facebook into a blank HTML file, and make sure you upload it to your web server.

 

create-facebook-like-button-page

 

Step 3: Generate the clickjacking script

This is where the fun begins. Head over to the Quickjack tool I told you about earlier, and enter the link to your like button page in the input field. Then click on the ‘Go’ button next to the input:

 

quickjack-url-input

 

Quickjack will load your like button into it’s page, but because the like button is so small, it will appear behind the input and buttons from Quickjack itself. Use the drag tool (black arrow icon on the top left) to drag Quickjack’s controls below your like button.

Next, we have to instruct Quickjack where we want to force the user to click. We want our victims to click on the like button, so go ahead and click on it. A red crosshairs will appear to indicate where you’ve set your click-target. You can now click on the “I’m done!” button to generate the code for the clickjack script.

 

quickjack-setup-target

 

Step 4: Let the clickjacking begin!

You can now simply copy the code that Quickjack has generated for you, and paste it to any (high-traffic) website you own. When a visitor clicks anywhere on that website, he or she will actually be pressing the like button you’ve just created.

 

Defending against Clickjacking

There are two main ways to prevent clickjacking:

  1. Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
  2. Employing defensive code in the UI to ensure that the current frame is the most top level window

I don’t want to make this article too technical, so for more information on Clickjacking defense, please head over to the Clickjacking Defense Cheat Sheet.




Jerre Baumeister

Jerre is the founder of TweetFavy and the co-founder of Novim Media. He is also a web-developer & -designer who specializes in back-end development. If you'd like to connect with him, you can find him on Twitter @JerreBM

  • Danny ruthe

    Jerre, above is not working. facebook link doesn’t come after clicking n GO. Please let me know if there any solution for this.

    • Jerre Baumeister

      Hi Danny,

      Here’s some more info on Step 3, I think you’re missing something:

      Go to Quickjack, and enter the url the page where you uploaded the page with your like button (See the first image in step 3). Click on the ‘GO’ button. Quickjack will load your page under his. Use the move tool to drag the toolbar down, then click like (See the second image in step 3). Once you’ve done that, click on the ‘I’m Done!’ button, and this screen will appear (See image attached).

      Leave all the checkboxes unchecked, and copy the code that Quickjack has generated. Now you can place this code in any website you own. For now, I would suggest to just create a new, simple HTML page. Add a single link in it, and paste the code from Quickjack into it. Upload it to your server, and try clicking on the link. You’ll find that you have pressed the like button instead.

      • Danny ruthe

        ohk, its working now…….thanks Jerre..
        Jerre we are having a situation. One of our clients’ competitors are getting huge facebook like around 60 likes within a minute. I don’t think they are genuine,

        1. is there any method we can do this same ??
        2. Is there any tool which can identify whether likes are genuine ?
        3. Is there any tool which can find out source of likes ?

        • Jerre Baumeister

          One thing you should understand, is that the value is never in the amount of likes, but in the quality of likes. Why? Because low quality or fake likes results in less engagement, and engagement is very important for EdgeRank, which is Facebook’s algorithm that determines which posts go into users’ News Feeds.

          It’s difficult enough to get your posts into the News Feeds of your Facebook Fans as it is, but when your Facebook Page has little or no engagement (especially with a large number of Likes), your EdgeRank will drop and no one will see your posts – including your real Likes.

          You may also want to watch this video if you haven’t seen it before: https://www.youtube.com/watch?v=oVfHeWTKjag

          Anyways, to answer your questions:

          1. Yes, you can either use a hack like the one written above, or you can buy them on sites like Fiverr. Although I would highly recommend you do neither.

          2. No, but likes coming from countries like India, Nepal, Bangladesh, etc. are a huge red flag.

          3. No, as far as I know you can only see if they came via Facebook organically, by paid ad, or another source. What you could do is to track the clicks on like buttons you have on your own website(s), but there’s no way to find out the exact source if they came from some third-party source.

          If you feel that due to the current situation it’s really important for your client’s like base to get a boost, I would suggest to run a Sweepstake (Take a look at http://viralsweep.com/). You will have to spent some money on this, but it’s worth it. It will help you to grow your likes, followers, google +1’s, email list, etc. all at once. Last time I ran one I got over 4000 targeted, high quality Facebook likes within just a few days (not to mention all the other socials).

      • Danny ruthe

        One more thing, this script works on Chrome..doesn’t work on firefox.

        • Jason Zarnowski

          did you ever get this working in firefox?

  • Anabela Mihic

    i dont think it works anymore… ur experience? tx!

  • Jim Moritz

    To be honest with you guys this is my first visit on your website. Thanks for interesting

    advice on How to get thousands of real Facebook likes!

  • antialiasis

    I’m sorry, but somehow the fact you have a “This is totally blackhat, guys! This is here strictly for, ahem, educational purposes” warning at the top and link to another site about defending against it as an afterthought at the bottom doesn’t make it any less breathtakingly scummy for a “growth hacking” company to publish a detailed step-by-step clickjacking tutorial on your blog that excitedly calls it a way to get “thousands of real Facebook likes”.

    Then again I don’t know what I expected from a company that’s all about spamming fake Twitter favorites.

  • Sebastian Ellis

    I dont know how to make a blank html page. I want to add the like button to my tumblr so when I share the tumblr link from my verified FB page and the tumblr is clicked it will generate a like to my FB page… is that how this works, or did I misread this whole thing. Help!!!! hahaha

  • Kim Pheng

    i don’ get it.. too complex any one have video please

  • Kurt

    Hi, I’ve followed all the instructions, inserted file created in the root of the site with the boundary “Like” facebook, generating the command for automatic click placed on a page of the site after the opening body tag, but it does not work,

    I tried it on Ie 11 and Firefox 43.01 even disabling antivirus
    Do You can explain why, thanks

  • Mary Ann

    The only truthful hacker I have met is [email protected] the guy is a genius, he has helped me and my friends to solve our relationship issues, he also accesses and modify databases, any social account, he is the real deal. Contact [email protected] if you are in need of a good hacker. I vouch for him….

  • susan william

    hi,

    i tried implementing the example and it worked good for me in the plain html page and when i tried integrating it with my website it doesn’t seem to work.

  • Ssunnel kumar
  • Redowan Sani

    Does it work with blogger?

  • Дамјан Јаневски

    There is new algorithms on facebook, which work on two clicks how this will pass now ?