When you see a post on a Facebook friend's wall that seems out of character, don't be too quick to click. That post labeled "Pictures of girls in bikinis" or "All boys can stare at it but girls cannot" could be a clickjacking attack. This type of attack typically doesn't include a malicious payload, but it will definitely annoy any of your friends who fall for it. Here's how to avoid that scenario.
Usually the post itself uses a short phrase or sentence that's just a bit provocative. The point is to arouse your curiosity. If you do fall for the attack that's currently making the rounds you'll get a warning that the content may be inappropriate and a request to confirm that you're 18 or older, like this:
Once you click the button to confirm your age you'll see another embedded dialog box. This one claims a need to prove that you're human, in order to avoid spam bots that are "putting an extra load on our servers." The box requests that you click numbered buttons in a certain order, like this:
Clicking those buttons doesn't prove you're human, except in the sense of "to err is human." By clicking the buttons you're actually posting the clickjacking attack in your own Facebook profile, thereby spreading it to all of your friends. If you encounter this attack, don't click the buttons. If you've already fallen for it, delete the post from your profile.
Symantec's free Norton Safe Web for Facebook did not detect the specific attack shown here. AVG's LinkScanner Online also gave the link a clean bill of health. Symantec representatives explained that Norton Safe Web "currently detects and warns users against links to phishing sites and those that distribute malware. Since [this link] … does not drop any malware or send users to malicious sites, Safe Web for Facebook won't show those links as unsafe. Scanning with Safe Web for Facebook every week and checking out suspicious links using LinkScanner will help keep you safe if these clickjacking attacks evolve into more virulent Facebook attacks.