Facebook widget installs Zango spyware
Posted on 04.01.2008
Fortinet Global Security Research Team discovered a malicious Facebook Widget actively spreading on the social networking site which ultimately prompts users to install the infamous "Zango" adware/spyware.

The malicious widget, called "Secret Crush" first appears as a Facebook request, as shown below in Figure 1:



In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush" (this happens frequently with Facebook's Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a "crush" on the targeted user. This is actually not the case, as discussed further below.



Clicking the "Find Out Who!" button leads to the standard third-party application install page (see Figure 3 below), essentially stating that the referred application will be granted access to user's details upon installation.



Such terms of use do not really scare anyone anymore, since they are displayed in all third-party application installations on Facebook. In other words, users have already been seeded with the idea of not worrying about giving access to their personal information. Further, this is a risk one may consider reasonable to take to in order to find out who has a crush on him/her. Intriguing user curiosity is exactly what the social engineering leverages. Unfortunately, as displayed in Figure 4, once the terms are accepted the time for the revelation has not yet come: "Before you can find out who might have a crush on you, you need to invite at least 5 friends!".



This practically makes the widget a Social Worm. Unlike many social worms, the "Secret Crush" propagation strategy does not rely on phishing or any sort of user-space customization feature abuse (read Fortinet's primer on social worms). Rather, it relies on pure social engineering which is based on simple manipulation strategies such as "escalation of commitment". Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process. Even after that step, no crush of any sort is revealed and the abused user is left facing the frame shown in Figure 5 below:



A quick examination of the page source reveals that the frame is hosted on hosted.zango.com, in the affiliates section. Needless to say that clicking on "Download Now" leads to a copy of the infamous Zango adware/spyware. By downloading, the malicious widget authors get rewarded with a fistful of pennies upon each download (which, after a few million clicks, probably sums up to an impressive total).

What happened is reasonably straightforward, sadly. The tremendous success and lightning fast expansion of Facebook (which, albeit resorting to debatable strategies as noted in a previous roundup, is undeniable) empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.

Research provided by Fortinet Global Security Research Team





Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //