Facebook Widget Spreads Spyware - InformationWeek
Software // Enterprise Applications
03:19 PM
Connect Directly
Free Yourself from Legacy Apps
Jun 08, 2017
They've served their purpose years ago, but now they're stretching your IT budget and increasing s ...Read More>>

Facebook Widget Spreads Spyware

Fortinet has identified a malicious Facebook widget called Secret Crush that may subject people to unwanted ads and phone charges.

Facebook users looking to identify a supposed secret crush may find themselves unwittingly subjected to unwanted ads and phone charges.

Security researchers at Fortinet have identified a malicious Facebook widget called Secret Crush that encourages Facebook users to provide the names of five friends and to install "the infamous 'Zango' adware/spyware." According to the company, 3% of Facebook's claimed 59 million users have used the widget.

The widget, which Facebook has reportedly removed, appeared as a Facebook invitation. "In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using 'Secret Crush' (this happens frequently with Facebook's Platform Application)," Fortinet explains in a blog post that details the social engineering employed by the malicious widget to encourage the user to install it.

A "Find Out Who" button promised to reveal the identity of the secret crush, but it in fact leads Facebook users to give up the names of five friends (in order to spread the widget further) and then to accept Zango's software.

"This practically makes the widget a Social Worm," Fortinet says. "Unlike many social worms, the 'Secret Crush' propagation strategy does not rely on phishing or any sort of user-space customization feature abuse. ... Rather, it relies on pure social engineering, which is based on simple manipulation strategies such as 'escalation of commitment.' Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point."

Wired News reports that Secret Crush was created by a firm based in Australia and the United States called Mobile Messenger and that the widget's Terms of Service say that the company will charge users $1.25 per day for sending SMS horoscope messages if a mobile phone number is provided.

Symantec says that it has already updated its software to block Secret Crush.

This is not the first time Zango software has spread through social networks. In 2006, Chris Boyd, the director of malware research for security vendor FaceTime, reported finding two MySpace profiles tagged "Zango" that spread adware.

Zango spokesperson Steve Stratz said at the time that the profiles were created by mistake by a Zango developer who didn't realize that company policy was not to distribute through MySpace.

In mid-December 2007, a worm spread through Google's Orkut social network using a Flash object to invoke malicious JavaScript code.

Stratz said that Zango is still investigating the widget. He said that Secret Crush, which he notes has been renamed My Admirer, doesn't appear to be connected to Zango or Zango sofrware.

"In addition, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would likely have seen based on reported usage numbers of the Secret Crush application," Stratz said in an e-mail. "The [Fortinet] report includes a screenshot of what appears to be a default Zango installer URL. While we have been unable to replicate any alleged connection between Zango and Secret Crush, this installer contains a complete and conspicuously disclosed plain-language notice and consent process that, if available to consumers, would provide full notice and disclosure relating to Zango software."

In other words, Zango explains its software and it's up to users to read that explanation.

In their year-end security risk summaries and predictions for 2008, many security vendors have said that they expect attacks on social networks to become more common because of the wealth of personal data stored there.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll