Rogue Facebook apps steal log-in data, send spam

Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing log-in credentials and spamming victims' friends.

So far, six malicious applications have been identified: "Stream," "Posts," "Your Photos," "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.

As of Wednesday afternoon, all of the apps were live except for "Stream," he said in an e-mail.

This screenshot shows evidence of the phishing scam on Facebook.

(Credit: Trend Micro)

The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!," which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.

That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts."

He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message," with the hyperlink to the phishing site.

On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.

All the apps look and act exactly the same and include ads.

"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.

A Facebook spokeswoman said the company was looking into the matter and would provide more comment later.

Ferguson recommends that Internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.

[Pete Bardo]

I detest those Facebook apps, and not just the ones listed here. Please don't send me gifts or drinks or quizzes or any of that crap!

[cyberslick50]

People should also be eagarly awaiting the Facebook application that spams text messages. Unfortunately these applications get verification to pull data from your profile, and if anybody out there has entered thier home address or cell phone number in an attempt to keep thier freinds up to speed, they are also potentially putting themselves at risk to these types of applications. Imagine an application that sends advertisements or bomb texts to somebody who made the mistake of sharing thier mobile number on a site they haphazardly accept friend and "application" requests at. Pandemonium! Do you think Facebook or the carriers will refund those charges? I think not. Be careful people. Take that recommendation to heart and CHECK the ACTUAL site you are submitting data to. Simplu hover over the link and check the bar at the bottom of your browser. Simple.

[gggg sssss]

bad on facebook to create aps that can do anything with data. Die facebook die

[kraterz]

Who has the time to waste on facebook apps? The less info they gather from you the better. People seem to have forgotten about privacy and how personal info can be misused, in the thrill of playing with new toys (apps).

[Internet-Lawyer]

The problem with Spam is not that it exists. SPAM is Legal. The problem is the collection methodologies used by the Spammers. As an <a href="http://www.web20lawyer.com">Internet Lawyer</a> I often work on bringing online direct marketers practices into legal compliance. Most assume that SPAM is illegal. In fact its a legal practice if done correctly.

[waxoval]

"Most assume that SPAM is illegal. In fact its a legal practice if done correctly."

and that makes it ok then?

[gggg sssss]

well in the US at least, UCE IS illegal.

[santuccie]

Actually, "spam" is by definition unsolicited, be it through e-mail, forums, chat rooms, IM, VoIP, or otherwise. UCE is just one form of e-mail spam, usually involving an advertisement for a real company. Another type of spam is phishing; and yet another is a letter purporting to be from a long-lost friend, carrying a botnet Trojan with hopes of adding your machine to their network.

@Internet-Lawyer: I won't assume you don't know what you're talking about, but even experts can overlook minor details. Commercial e-mail is legal if the recipient has done business with the sender and agrees to receive advertisements from them and/or their partners (whether or not they read the fine print), or if the recipient has joined an opt-in list. But unsolicited correspondence is indeed illegal, whether or not it bears a "CAN-SPAM" compliance statement or an "unsubscribe" link.

[wiindwalker]

I am done with facebook