Software // Enterprise Applications
News
1/4/2008
03:19 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Widget Spreads Spyware

Fortinet has identified a malicious Facebook widget called Secret Crush that may subject people to unwanted ads and phone charges.

Facebook users looking to identify a supposed secret crush may find themselves unwittingly subjected to unwanted ads and phone charges.

Security researchers at Fortinet have identified a malicious Facebook widget called Secret Crush that encourages Facebook users to provide the names of five friends and to install "the infamous 'Zango' adware/spyware." According to the company, 3% of Facebook's claimed 59 million users have used the widget.

The widget, which Facebook has reportedly removed, appeared as a Facebook invitation. "In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using 'Secret Crush' (this happens frequently with Facebook's Platform Application)," Fortinet explains in a blog post that details the social engineering employed by the malicious widget to encourage the user to install it.

A "Find Out Who" button promised to reveal the identity of the secret crush, but it in fact leads Facebook users to give up the names of five friends (in order to spread the widget further) and then to accept Zango's software.

"This practically makes the widget a Social Worm," Fortinet says. "Unlike many social worms, the 'Secret Crush' propagation strategy does not rely on phishing or any sort of user-space customization feature abuse. ... Rather, it relies on pure social engineering, which is based on simple manipulation strategies such as 'escalation of commitment.' Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point."

Wired News reports that Secret Crush was created by a firm based in Australia and the United States called Mobile Messenger and that the widget's Terms of Service say that the company will charge users $1.25 per day for sending SMS horoscope messages if a mobile phone number is provided.

Symantec says that it has already updated its software to block Secret Crush.

This is not the first time Zango software has spread through social networks. In 2006, Chris Boyd, the director of malware research for security vendor FaceTime, reported finding two MySpace profiles tagged "Zango" that spread adware.

Zango spokesperson Steve Stratz said at the time that the profiles were created by mistake by a Zango developer who didn't realize that company policy was not to distribute through MySpace.

In mid-December 2007, a worm spread through Google's Orkut social network using a Flash object to invoke malicious JavaScript code.

Stratz said that Zango is still investigating the widget. He said that Secret Crush, which he notes has been renamed My Admirer, doesn't appear to be connected to Zango or Zango sofrware.

"In addition, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would likely have seen based on reported usage numbers of the Secret Crush application," Stratz said in an e-mail. "The [Fortinet] report includes a screenshot of what appears to be a default Zango installer URL. While we have been unable to replicate any alleged connection between Zango and Secret Crush, this installer contains a complete and conspicuously disclosed plain-language notice and consent process that, if available to consumers, would provide full notice and disclosure relating to Zango software."

In other words, Zango explains its software and it's up to users to read that explanation.

In their year-end security risk summaries and predictions for 2008, many security vendors have said that they expect attacks on social networks to become more common because of the wealth of personal data stored there.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.