Facebook Applications Aren’t Always Your Friends

Facebook I came across a worrying article today at online security site Fortinet.

The post (also picked up by Help Net Security) details how a rogue Facebook application allegedly dupes users into installing the infamous "Zango" adware/spyware and inviting friends to do the same.

Facebook screenshot 1 Zango disputed the claim, saying the application was nothing to do with them. The company insisted that the screenshots showed an ad they placed legitimately through Facebook, and that the application seemed to show random ads to users.

Facebook screenshot 2That may be true, as the widget was ultimately disabled by its makers once they realized people were being redirected to Zango’s site. By this point, the application had been installed by 4% of Facebook’s 60 million users (or 2.4 million people).

Facebook screenshot 3

Wider Issues?

This one case notwithstanding, this is an important reminder to be careful online. It’s also a good illustration of some of how Facebook conditions its users to give away their information and some of the risks associated with that.

In a nutshell, malicious applications can get access to your computer in three steps.

Step 1: Get users to share their information with the application

As with all Facebook applications, the first step of the process involved getting users to share their information with the application.

This doesn’t scare many Facebook users – they’re used to giving access to applications. This particular application informed people that someone had a secret crush on them. The resulting curiosity, combined with this conditioning, meant over 2 million people shared their information.

Step 2: Get users to invite others

The application then informs users that before they can proceed, they need to invite at least five friends to join too.

In a way, this is genius – people willingly spread the application causing the problem.

As Fortinet notes:

Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process.

Step 3: Redirect users to the malicious site

In this case, the page redirected to an ad from Zango that redirected users to a page within their own site.

As applications can redirect a page frame to a third-party site, it would be easy to direct users to a well-designed site that cons people into installing malicious software.

Bottom line: Don’t be lulled into a false sense of security just because you’re on Facebook. Be careful with what you install on your computer. Everything isn’t always what it seems.