FortiGuard Advisory (FGA-2007-16)
Facebook Widget Installing Spyware
2008.January.02
The malicious widget, called "Secret Crush" first appears as a Facebook request, as shown below in Figure 1:
Figure 1: The malicious widget request is highlighted in red
In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush" (this happens frequently with Facebook's Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a "crush" on the targeted user. This is actually not the case, as discussed further below.
Figure 2: Find out who has a crush on you
Clicking the "Find Out Who!" button leads to the standard third-party application install page (see Figure 3 below), essentially stating that the referred application will be granted access to user's details upon installation.
Figure 3: "My personal data will be revealed, used and abused by online marketers and I am aware of that: Add the application"
Such terms of use do not really scare anyone anymore, since they are displayed in all third-party application installations on Facebook. In other words, users have already been seeded with the idea of not worrying about giving access to their personal information. Further, this is a risk one may consider reasonable to take to in order to find out who has a crush on him/her. Intriguing user curiosity is exactly what the social engineering leverages. Unfortunately, as displayed in Figure 4, once the terms are accepted the time for the revelation has not yet come: "Before you can find out who might have a crush on you, you need to invite at least 5 friends!".
Figure 4: The core of the widget's social propagation strategy
This practically makes the widget a Social Worm. Unlike many social worms, the "Secret Crush" propagation strategy does not rely on phishing or any sort of user-space customization feature abuse (see our primer on social worms ). Rather, it relies on pure social engineering which is based on simple manipulation strategies such as "escalation of commitment". Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process. Even after that step, no crush of any sort is revealed and the abused user is left facing the frame shown in Figure 5 below:
Figure 5: Zango IFrame
A quick examination of the page source reveals that the frame is hosted on http://hosted.zango.com, in the affiliates section. Needless to say that clicking on "Download Now" leads to a copy of the infamous Zango adware/spyware. This was formerly known as 180Solutions, and is currently caught by Fortinet as Adware/Zango as can be seen in Figure 6. The malicious widget authors get rewarded with as much as over $1 USD upon each successful installation, according to Zango's affiliate program rates (which, after a few million clicks, probably sums up to an impressive total).
Figure 6: Fortinet blocking the Zango download within the "Secret Crush" IFrame
What happened is reasonably straightforward, sadly. The tremendous success and lightning fast expansion of Facebook (which, albeit resorting to debatable strategies as noted in a previous roundup, is undeniable) empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.
Fortinet CMO Richard Stiennon included "malicious facebook widgets" in his 2008 predictions. It seems that "Secret Crush" is right on time. Facebook has been notified, however, it is probably just the beginning. As of writing, what prevents hackers to implement a similar scheme, in which the Zango IFrame would be replaced by a MPack one (or any other drive-by install engine), thereby silently infecting users on a mass scale?
"Keep in mind that, given the odds, people are likely developing Facebook "Platform Applications" for profit rather than just for fun. Now, this does not mean that all widgets are going to be malicious. As in every business frame, honest ways to generate profits surely exist on Facebook, in exchange for providing a service to users who subscribe to it. However, users must be aware of this, and resort to a blend of common sense and protection gear to avoid being scammed and abused.", advises Fortinet EMEA Threat Response Team Manager Guillaume Lovet.
"What is happening here is actually simple - social networking sites are becoming what the Internet already is in general: a dangerous place. People who are unaware, naive, and/or run unpatched browsers are increasingly at risk", said Lovet.
As of first report, the widget was already being used by 3% of the Facebook community, which amounts to over one million users - all in a very small time-frame. This demonstrates the effectiveness of the propagation strategy employed by the widget, as well as the potential capitalization on a large user base such as Facebook's.
UPDATES:
As of January 4, 2008 the widget's installed user base has grown from 3% to 4% of Facebook users, and has changed its name from "Secret Crush" to "My Admirer". Further, when attempting to install the "My Admirer" widget, the message: "The developer of this application does not currently allow it to be added." appears, halting the installation process.
As of mid-day January 4, 2008 users who already had installed the Secret Crush/My Admirer widget were greeted with a message on Facebook when trying to access the widget. The third party developer of the widget made a statement, as can be seen in Figure 7 below:
Figure 7: Secret Crush / My Admirer widget message when attempting to use the widget on January 4, 2008
As of January 7, 2008 Facebook has removed the Secret Crush/My Admirer widget from their site.
Disclaimer:
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
About Fortinet ( www.fortinet.com ):
Fortinet is the pioneer and leading provider of ASIC-accelerated multi-threat security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and antispam--providing customers a way to protect multiple threats as well as blended threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified eight times over by the ICSA (firewall, antivirus, IPSec, SSL, IDS, client antivirus detection, cleaning and antispyware). Fortinet is privately held and based in Sunnyvale, California.
