Gallery

Unsocial networking

Posted on 5 Mar 2008 at 17:30

Davey Winder investigates a Facebook frog with a hidden agenda and reveals how to keep safe when using social networking sites.

Earlier I touched upon the area that most concerns security professionals, when I mentioned "loose lips sink ships", by which I meant that if you're not careful to protect the information you make available about yourself when you use a service such as Facebook, especially from your place of work, then you risk exposing an awful lot more than just your personal foibles. This risk is most evident with the ability to add third-party applications (widgets, if you prefer) to your Facebook profile. Most, in fact nearly all, of these are as harmless as they are witless and pointless: biting your friends via a personal message to turn them into virtual vampires; displaying a weather forecast on your profile page; engaging your friends in quizzes to see who knows most about Coronation Street. Some Facebook users are well and truly addicted to these things, though, to judge by the number of invites I receive offering to bite me, or worse. However, sometimes when you have such a willing and naive audience just waiting to soak up yet another new application, you'll attract the malicious types ready to exploit them.

You've been Zango'd

The first case of such an unsocial networking application has recently come to my attention, courtesy of the threat-response security research team at Fortinet, who alerted me to a malicious application that's wheedled its way onto the computers of a whopping 3% of Facebook members (3% may not sound too bad until you realise that works out to one million people...).

Going by the name of Secret Crush, this application exploits the social networking genre perfectly: you receive a message that tells you someone in your Facebook network (who's already installed the application) fancies you. This could be the person sending the message, but that isn't made clear: indeed, lack of clarity is key to the success of this malicious application in spreading itself, because in order to find out who has the hots for you, you have to install the application yourself, or so the invitation would have you believe. In fact, this isn't true, because once you do install it you'll be told that to reveal this romantic attachment, you must invite at least another five friends to install it. And that isn't true, either, because even then there's no actual naming of who fancies you, just an advert to download a "crush calculator" executable. By now, alarm bells should be well and truly ringing, recalling the whole nine dodgy yards of pyramid schemes, social engineering scams, phishing, adware and other kinds of nefarious schemes.

Fortinet did a detailed forensic examination of the code contained in the page source of the advertising frame you eventually receive for that "crush calculator", and it discovered it was hosted at the affiliates section of zango.com. Some readers may remember that Zango is the infamous adware package that used to go by the name of 180Solutions and has been identified as spyware by many an antispyware package, despite the best efforts of Zango to use legal pressure to have them remove that classification. Fortinet says that if you download this crush calculator it leads directly to a copy of Zango, which stretches the definition of secret admirer to the absolute limit as far as I'm concerned (unless you include being bombarded by adverts in your concept of romance, that is).

I should point out that Zango's CEO has gone on record as saying this was nothing to do with his company and that an advert for Zango was placed as "one of many rotating ads" by a "publishing partner". He denied being associated with Secret Crush in any form and objected to Zango software being labelled as spyware, saying it should be referred to "as a toolbar". Uh huh... Fortinet, however, stands firm behind its researchers on this matter, and Facebook has banned the Secret Crush application for violating its terms of service.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site