Fortinet has identified a malicious Facebook widget called Secret Crush that may subject people to unwanted ads and phone charges.
Facebook users looking to identify a supposed secret crush may find themselves unwittingly subjected to unwanted ads and phone charges.
Security researchers at Fortinet have identified a malicious Facebook widget called Secret Crush that encourages Facebook users to provide the names of five friends and to install "the infamous 'Zango' adware/spyware." According to the company, 3% of Facebook's claimed 59 million users have used the widget.
The widget, which Facebook has reportedly removed, appeared as a Facebook invitation. "In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using 'Secret Crush' (this happens frequently with Facebook's Platform Application)," Fortinet explains in a blog post that details the social engineering employed by the malicious widget to encourage the user to install it.
A "Find Out Who" button promised to reveal the identity of the secret crush, but it in fact leads Facebook users to give up the names of five friends (in order to spread the widget further) and then to accept Zango's software.
"This practically makes the widget a Social Worm," Fortinet says. "Unlike many social worms, the 'Secret Crush' propagation strategy does not rely on phishing or any sort of user-space customization feature abuse. ... Rather, it relies on pure social engineering, which is based on simple manipulation strategies such as 'escalation of commitment.' Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point."
Wired News reports that Secret Crush was created by a firm based in Australia and the United States called Mobile Messenger and that the widget's Terms of Service say that the company will charge users $1.25 per day for sending SMS horoscope messages if a mobile phone number is provided.
Symantec says that it has already updated its software to block Secret Crush.
This is not the first time Zango software has spread through social networks. In 2006, Chris Boyd, the director of malware research for security vendor FaceTime, reported finding two MySpace profiles tagged "Zango" that spread adware.
Zango spokesperson Steve Stratz said at the time that the profiles were created by mistake by a Zango developer who didn't realize that company policy was not to distribute through MySpace.
Stratz said that Zango is still investigating the widget. He said that Secret Crush, which he notes has been renamed My Admirer, doesn't appear to be connected to Zango or Zango sofrware.
"In addition, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would likely have seen based on reported usage numbers of the Secret Crush application," Stratz said in an e-mail. "The [Fortinet] report includes a screenshot of what appears to be a default Zango installer URL. While we have been unable to replicate any alleged connection between Zango and Secret Crush, this installer contains a complete and conspicuously disclosed plain-language notice and consent process that, if available to consumers, would provide full notice and disclosure relating to Zango software."
In other words, Zango explains its software and it's up to users to read that explanation.
In their year-end security risk summaries and predictions for 2008, many security vendors have said that they expect attacks on social networks to become more common because of the wealth of personal data stored there.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.