Security researchers have identified a new worm spreading across Facebook, luring people out to adult Web sites and automatically replicating itself across people’s profile pages.
Like so much malware, the worm advertises itself as a product of the skin trade.
An image of a near-naked woman appears on a user’s wall alongside all the other legitimate activities of that person’s friends. Embedded in the image is a link, bracketed by the text: “Want 2 C Something Hot?” and “Click da’ button, baby.”
Clicking the button brings up a full-screen version of the image, and clicking again navigates the user to a pornographic Web site. When the user returns to his Facebook profile page, the image of the woman now appears on his wall, as well.
Evidence of the worm first appeared on the hacking blog Dark Reading, and was quickly picked up by security experts at AVG Research.
“The worm’s objective, of course, is that others viewing the victim’s wall will click the link, and as they are logged into Facebook, the worm will propagate its link to that victim’s wall, and so on,” AVG researcher Nick FitzGerald wrote in a blog post this morning explaining the vulnerability.
Facebook spokesman Simon Axten told InternetNews.com that the company is looking into the worm and expects to have more information shortly.
“On first glance, though, it doesn’t look any different from the phishing and malware attacks we fight on a daily basis,” Axten said.
The worm executes what is known as a cross-site request forgery, a hacking technique commonly abbreviated CSRF or XSRF.
The exploit page called up by the wall posting triggers a sequence of pages and scripts that manage to create a bogus submission to Facebook that mimics the normal process of a user submitting a link to post and share on his wall.
Axten noted that Facebook has automated systems that aim to flag users’ accounts that might have been compromised, and routinely patrols for and deletes suspicious links.
“Users who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts,” Axten said.
“To combat these threats, however, we need users’ help too,” he added. Axten encouraged users to be mindful of standard safe-surfing best practices, such as keeping up with browser updates, choosing secure passwords and not clicking on strange links. He also appealed for Facebook users to become fans of the company’s security page, which offers guidelines for staying safe on the site.
Like many social-networking sites, Facebook has become an increasingly popular target for malware authors. Perhaps the highest-profile attack came last year in the form of the Koobface worm, an exploit that initially set its sights on Facebook, but has continued to spread to other destinations on the Web.
In August, Facebook was hit with a similar CSRF attack. The company said that the amount of information compromised was minimal, but security researchers criticized Facebook’s systems for failing to discern whether a request had come from an internal user or a bogus third party.
Roger Thompson, AVG’s chief research officer, said that the attack was “best fixed by Facebook,” and expressed confidence that the company would move swiftly to address the vulnerability.
Dark Reading’s Gadi Evron notified Facebook about the issue over the weekend.
But Web-savvy Internet users have wised up to adult-themed come-ons such as the one found on Facebook over the weekend, leading Thompson to question whether the same scheme could be lurking on Facebook’s pages in less conspicuous forms. Already, AVG researchers have detected the CSRF threat disguised in the site’s popular Farmville app.
“The really interesting question, however, is how many other people have been using the attack without being so obvious about it,” Thompson said. “When your profile suddenly starts luring your friends and family to porn sites, that tends to stand out, but one wonders what else might have been happening with more subtlety. The worst hack is always the one you don’t know about.”
Update adds comments from Facebook spokesman.