Facebook Widget Spreads Spyware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
03:19 PM
Connect Directly

Facebook Widget Spreads Spyware

Fortinet has identified a malicious Facebook widget called Secret Crush that may subject people to unwanted ads and phone charges.

Facebook users looking to identify a supposed secret crush may find themselves unwittingly subjected to unwanted ads and phone charges.

Security researchers at Fortinet have identified a malicious Facebook widget called Secret Crush that encourages Facebook users to provide the names of five friends and to install "the infamous 'Zango' adware/spyware." According to the company, 3% of Facebook's claimed 59 million users have used the widget.

The widget, which Facebook has reportedly removed, appeared as a Facebook invitation. "In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using 'Secret Crush' (this happens frequently with Facebook's Platform Application)," Fortinet explains in a blog post that details the social engineering employed by the malicious widget to encourage the user to install it.

A "Find Out Who" button promised to reveal the identity of the secret crush, but it in fact leads Facebook users to give up the names of five friends (in order to spread the widget further) and then to accept Zango's software.

"This practically makes the widget a Social Worm," Fortinet says. "Unlike many social worms, the 'Secret Crush' propagation strategy does not rely on phishing or any sort of user-space customization feature abuse. ... Rather, it relies on pure social engineering, which is based on simple manipulation strategies such as 'escalation of commitment.' Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point."

Wired News reports that Secret Crush was created by a firm based in Australia and the United States called Mobile Messenger and that the widget's Terms of Service say that the company will charge users $1.25 per day for sending SMS horoscope messages if a mobile phone number is provided.

Symantec says that it has already updated its software to block Secret Crush.

This is not the first time Zango software has spread through social networks. In 2006, Chris Boyd, the director of malware research for security vendor FaceTime, reported finding two MySpace profiles tagged "Zango" that spread adware.

Zango spokesperson Steve Stratz said at the time that the profiles were created by mistake by a Zango developer who didn't realize that company policy was not to distribute through MySpace.

In mid-December 2007, a worm spread through Google's Orkut social network using a Flash object to invoke malicious JavaScript code.

Stratz said that Zango is still investigating the widget. He said that Secret Crush, which he notes has been renamed My Admirer, doesn't appear to be connected to Zango or Zango sofrware.

"In addition, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would likely have seen based on reported usage numbers of the Secret Crush application," Stratz said in an e-mail. "The [Fortinet] report includes a screenshot of what appears to be a default Zango installer URL. While we have been unable to replicate any alleged connection between Zango and Secret Crush, this installer contains a complete and conspicuously disclosed plain-language notice and consent process that, if available to consumers, would provide full notice and disclosure relating to Zango software."

In other words, Zango explains its software and it's up to users to read that explanation.

In their year-end security risk summaries and predictions for 2008, many security vendors have said that they expect attacks on social networks to become more common because of the wealth of personal data stored there.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll