Many years ago, I described how the social engineering tactic of alleging an “InstaKiss” from a secret admirer was used in order to steal AOL passwords. If online services were all the rage at that time, now is the era of social networking sites. Relative newcomer Facebook, which according to its own factsheet implements “a development platform that enables companies and engineers to deeply integrate with the Facebook website and gain access to millions of users through the social graph”, is now being used as a foundation for malicious software. The bait? A “Secret Crush”.

According to Californian information security company Fortinet, potential victims are informed that one of their Facebook friends has invited them to find out more information by using the “Secret Crush” widget — “One of Your Friends Might Have a Crush on You”. As the victim elects to “Find Out Who”, he or she is taken to Facebook’s application addition page, where he or she must specifically allow the application to, among other things, “know who I am and access my information” as well as “publish stories in my News Feed and Mini-Feed”. Quoting from the Fortinet advisory:

“My personal data will be revealed, used and abused by online marketers and I am aware of that: Add the application”. Such terms of use do not really scare anyone anymore, since they are displayed in all third-party application installations on Facebook. In other words, users have already been seeded with the idea of not worrying about giving access to their personal information.

If the victim adds the malicious application, he or she is notified that he or she needs to invite at least five friends. (These friends, of course, become the next victims.) Subsequently the victim is taken to the download page for “Crush Calculator”; upon completing the installation, the victim will have acquired Zango, an ad delivery application.

Of course, the allegation of a “secret crush” is a swindle intended to defraud the user into installing the “Secret Crush” and “Crush Calculator” applications. In other words, instead of the victim finding someone in love with him, he is likely to lose the friends he entrapped as fellow casualties.

An additional weirdness is that as a Facebook user attempted to advise Facebook on the “Secret Crush” malware in order to have it taken down, Facebook apparently instead sent his report to the malware operator:

WTF! I clicked on “Report this application” on Facebook, and put in the info on the worm, expecting that my message would be sent to the Facebook developers, and instead it tells me:

Thank you for your report.
Your report has been sent to the developer of this application. If you no longer wish to interact with this application, you can remove or restrict it.

Oh ducky.

That’s the wrong default guys. If I’m reporting a bug in an app, that’s one thing. But if I’m reporting a privacy violation or other similar issue, that should be going to Facebook only, not to the application developer.

In any case, the lesson here is to avoid widgets and similar applications. Where you must allow code to run on your workstation, first research it as thoroughly as possible. Avoid being among the first to try out new software. Be especially wary if the application promises to do something extraordinary or if it is presented in a particularly appealing fashion. If in doubt, ask a qualified expert to advise you.

Have you been burned by a Facebook “platform application” or by social engineering? Please post your comments!