When you see a post on a Facebook friend's wall that seems out of character, don't be too quick to click. Posts labeled "Pictures of girls in bikinis" or "All boys can stare at it but girls cannot" might be clickjacking attacks. These attacks typically don't carry malicious payloads, but they can certainly annoy any friends who fall for them. Here's how to avoid that scenario.
Usually, the post itself uses a short, provocative phrase to spark your curiosity. If you fall for the attack currently making the rounds, you'll see a warning that the content might be inappropriate and a request to confirm that you're 18 or older.
Once you click the button to confirm your age, you'll encounter another embedded dialog box. This one claims a need to verify that you're human, supposedly to avoid spam bots that are "putting an extra load on our servers." The box requests that you click numbered buttons in a specific order.
Clicking those buttons doesn't prove you're human, except in the sense of "to err is human." By clicking them, you're actually posting the clickjacking attack on your own Facebook profile, thereby spreading it to all your friends. If you encounter this attack, don't click the buttons. If you've already fallen for it, delete the post from your profile immediately.
Symantec's free Norton Safe Web for Facebook did not detect the specific attack shown here. AVG's LinkScanner Online also gave the link a clean bill of health. Symantec representatives explained that Norton Safe Web "currently detects and warns users against links to phishing sites and those that distribute malware. Since [this link] does not drop any malware or send users to malicious sites, Safe Web for Facebook won't show those links as unsafe." Scanning with Safe Web for Facebook every week and checking out suspicious links using LinkScanner will help keep you safe if these clickjacking attacks evolve into more virulent Facebook threats.