UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.
Facebook notifications page
UPDATE 3: 19th August Rogue app number six just showed up and is unsurprisingly called “Inbox (1)”
UPDATE 2: 19th August:A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.
UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app.
Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”
“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.
I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation.
________________________________________________________________________________________
Original post follows:
I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.
My research has turned up two further Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.
When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).
Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.
The application then goes on to send spam to all your contacts, without asking for permission of course…
The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.
How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.
So like I said yesterday, always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use
Trend Microhas informed Facebook of these findings.
Bookmark