Researchers at security firm Fortinet have discovered a malicious application spreading rapidly across Facebook, prompting users to install adware from Zango, an online media company that promotes free downloads of games and ringtones.
Zango is also a notorious malware distributor that has run into trouble with regulators over its practices.
The widget first appeared under the name “Secret Crush,” and entices users to download the application with a promise of revealing a Facebook friend with a crush on them, according to Fortinet’s research.
No admirer is ever identified. There is no secret crush to reveal. Instead, the widget entices users to download the adware, but not before prompting them to pass the application on to their Facebook friends.
In the typical fashion of the cat-and-mouse game of online security, the developers have renamed the widget “My Admirer” following the researchers’ discovery, according to Fortinet Senior Research Engineer Derek Manky. “Secret Crush” is still named as the developer; the invitation now reads: “My Admirer by Secret Crush.”
Facebook is working closely with Fortinet to address the problem, Manky told InternetNews.com.
This is believed to be the first malware application of its kind to appear on Facebook through its third-party developer platform, but the researchers have warned that it is unlikely to be the last. Manky said one concern is that cyber criminals rolling out Facebook applications could post more than adware, such as links that draw users to malicious external Web sites.
MySpace, the largest social network and a Facebook rival, has already come under numerous attacks, including a recent attempt to trick unsuspecting users into installing a rootkit.
“What is happening here is actually simple – social networking sites are becoming what the Internet already is in general: a dangerous place,” Fortinet researcher Guillaume Lovet wrote in his analysis of the Secret Crush widget.
“Keep in mind that, given the odds, people are likely developing Facebook Platform applications for profit rather than just fun,” Lovet said. Of course, many for-profit widget applications are entirely legitimate. But the surging popularity of Facebook and other social networks has created a ripe target for malware authors.
Viral Malware
One of the unusual aspects of the Secret Crush/My Admirer adware is how quickly it has spread around Facebook by seizing on some of the elemental features of the social networks: trusted referrals and social curiosity — the exponential reach that comes through viral distribution.
As of this morning, the application had been downloaded by 4 percent of Facebook’s users, according to Manky. On Tuesday, when the researchers first posted their findings, the adware had spread to 3 percent of the Facebook community.
Using Facebook’s own estimate of more than 59 million active users on its site, that means more than half a million people have downloaded Zango’s adware in just two days, and that it has reached a total of more than 2 million users.
“It really demonstrates the power of simple social engineering tactics,” Manky said.
The two main security problems confronting Facebook brought to light by the My Admirer/Secret Crush adware are the lack of security awareness among its users and the extensive trust that is placed in the third-party developers under the Platform, according to Manky.
Facebook needs to develop some mechanism for screening the intent of its developers before their applications go live on the site, he said. At the very least, Facebook could look at the steps that users are required to complete before adding a widget.
The current system places the onus of security entirely on Facebook users, who are so accustomed to installing third-party applications that come recommended by friends that security concerns are often overlooked, Manky said.
Users are all the more likely to ignore security risks when confronted with a widget
that excites their curiosity with the promise of revealing some socially titillating bit of information, as My Admirer does.
After agreeing to add the widget, the installation jumps to a screen that reads: “Before You Can Find Out Who Might Have a Crush On You, You Need to Invite At Least 5 Friends!” At this point, researchers point out, the user is psychologically hooked.
“Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point,” the researchers wrote, so they are likely to pass the malicious widget on to at least five friends, just as Zango planned.
In this sense, My Admirer leverages a user’s escalating commitment to create trusted referrals that spread the adware with exponential rapidity.
Instead of revealing the admirer, after users send the application to five of their friends, they are then prompted to click a “download now” button, which installs the Zango adware on their computer.
Zango has already run afoul of the Federal Trade Commission for its malware practices. In a $3 million settlement with the FTC reached in November 2006, Zango (formerly known as 180Solutions) agreed not to install its adware without obtaining consent after providing clear and prominent disclosure.
