Malware Authors Exploit Facebook App

Is it marketing or is it malware?

That’s the question facing Facebook users who are confronting the threat of a second targeted attack less than two weeks after last being hit by a virus.

Users and security experts are now wondering whether an official-looking message making the rounds through the social networking site is a new way for malware authors to reach Facebook users, or a bizarre case of hackers taking advantage of an ill-conceived marketing stunt.

The alarm centers on an official-looking notification, titled “Error Check System” or “Error Checking System” that warns users — falsely — that friends have had problems viewing their profile. It also urges recipients to click on an “Activate” button in the message to correct the errors, which thereby downloads a Facebook app and asks users to select friends whose profiles they would also like checked.

Doing so sends the notification to those friends, yet there doesn’t seem to be any malware built into the message. That’s led some observers to wonder whether the “Error Checking” application is some poorly executed attempt at promoting a new product or service.

However, it’s not wholly without danger. If curious users do a Web search on the term “Facebook Error Check System,” they’re likely to run into a number of Web pages that claim to offer an explanation, but which instead download malware onto their PCs.

Facebook is working to respond to the threat, but even it’s not clear on what’s going on.

“We have disabled several versions of the Error Check System application and are working aggressively to make sure these annoying apps stay off Facebook,” a spokesperson at the social networking site told in an e-mail. “It has also come to our attention that a Google search for this application leads to a Web page, which initiates a fake antivirus scan and attempts to install malware.”

“We’ve reached out to Google about this search result, and in the meantime, urge users not to click on search links related to this application,” the spokesperson said, adding that Facebook’s policy is to take action against nuisance or dangerous applications, including steps like disabling them.

Still, the problem remains — and could spell more trouble for the social networking site, industry watchers said.

“This could be a huge issue for Facebook,” Nick O’Neill, who runs the Facebook-watching site All Facebook, told “You could get millions of people clicking on and installing this application.”

It’s also the latest attack designed to target Facebook users. The site was last hit earlier this month when hackers hijacked a 1.5 million-strong Facebook group “5,000,000 against the new version of Facebook”.

Page 2: A coordinated attack? Or something odder?

Page 2 of 2

The newest attack first made its appearance over the weekend, O’Neill said, and its subject line has since changed from “Error Check System,” to “Error Checking System,” ostensibly in an attempt to avoid blocking.

However, it’s not the contents of the message — or the Facebook app it downloads — that is putting users at real risk. Graham Cluley, senior technology consultant at security consultants Sophos, told that users’ searches for “Error Checking System” lead to sites that download scareware, or fake antivirus software, onto users’ PCs. The scareware contains two viruses, which Sophos has named Sus/FakeAV-A and Troj/FakeAV-LL.

Was this a two-pronged attack?

While it’s still unclear who’s behind the current Facebook attack, at least one researcher thinks it has some clues.

Craig Schmugar, senior threat researcher at antivirus vendor McAfee, told that one core group runs the Net’s major scareware attacks — and they’re a likely culprit for the latest malware based on their previous methods of attack.

“It’s the same domain names and the same rogue anti-spyware, so it seems likely that this time, the perpetrators created this pipe around Facebook so they could get more search results,” Schmugar said.

Yet it remains uncertain whether the Facebook application and the malware were constructed by the same parties. The application could have been written to create a buzz that would lead to people being infected after doing Google (NASDAQ: GOOG) searches, Cluley said.

Or, the application’s authors could have been attempting to promote some sort of product or service, he added.

“It’s not yet clear whether the application writers were engaging in dumb marketing or they were part of a bigger plot,” Cluley said.

Either way, the hackers behind the scareware attacks are cashing in.

“They have been very successful at seeding Google at a very high level,” Cluley said.

Most of the Web sites carrying the malware are likely to have been legitimate sites that have been hacked by the malware authors, Cluley said, adding that the approach is a common tactic.

“We see over 20,000 infected Web pages daily, 90 percent of which have been hacked,” he said.

Sophos isn’t the only one noting the trend. A survey by messaging- and data-protection vendor Websense also found that hackers are increasingly compromising legitimate Web sites to do their dirty work. The survey concluded that search engines and social networking sites, which let users upload third-party applications, are the most at risk.

As a result, Cluley warned Facebook users to be very careful what applications they add on to their pages.

“You don’t know who that person is, whether they can be trusted and whether they’re competent,” he said.

News Around the Web