Archived Blog
Malicious Facebook App Propagates via Users
02.26.2010 - 5:00 PM
The attack starts with a friend, whom you trust, posting a link on your wall, asking you who is checking your profile. It also entices you by telling you that your friend is viewing your profile.
The draw itself has been around for a long time, and the idea of being able to tell which users have looked at your profile is an attractive proposition. But Facebook policy and the API itself prevent this capability, which means that all applications that promise this feature are bogus.
While the technique of enticing users with "Who is checking your profile?" isn't new, this particular propagation technique hasn't been seen before. Users are asked to create their own Facebook application, a process that Facebook has made really simple. Then, when the user enters their application's API and application secret, the new application is used to clone one of the template spam applications, each with a different name and icon to entice users.
Step-by-Step: How does this work? (Don't try this at home)
Step 1. You receive a notification or post from one of your infected friends.
Step 2. You click on the notification or post and are taken to the Authorize application dialog.
Note: You can see the profile page of the application here:
This particular instance has 57 fans.
Step 3. You authorize the application (Allow).
Step 4. You grant the application extended permissions to post messages.
Step 5. You get to see who is viewing your profile!
It seems to list all, or a random subset of your friends. All of your friends also receive notifications from you!
Step 6. The application asks you to post a message about it to your stream.
Step 7. From the application, you click on a link or just wait to be redirected to hxxp://174.143.183.99/.
Step 8. Following the instructions on the screen, which aren't so simple, you add the Facebook Developer App.
Step 9. You "Click Here" to create a new application.
Step 10. You click a name (which will be overwritten anyway), then agree and save.
Step 11. You copy your application's API Key and Secret (don't try this at home) into the form and submit it.
Note: The form is POSTed to a randomly-selected host, probably chosen from a compromised botnet.
Step 12. Some of the applications have already been blocked by Facebook. If this happens, you may go back and refresh the page, enter your information in again, and re-submit. This will work eventually.
Step 13. You will then be asked to add another clone application, created by someone else who fell for this attack like you did. This cycle could continue forever.
What should you do?
The most important thing for Facebook users to remember is that clicking “Allow” authorizes an application, and by doing so you are giving it the proverbial “keys to the kingdom.” Do not add any applications that you do not trust. You can assess an application’s reputation by clicking on the application name *without authorizing the application*. Look at the reviews of the application to see what other users are saying about it. Spam applications typically have reviews stating so.
Spam applications
Here is a sample list of a few of the application names we found:Who Block me? Who is in your mind? Who Always Look into My Profile?? Who Always stalks Your Profile? Who has checked your profile? Who Always Appear Offline?? Who stalks your profile? Who has seen my profile Who is peeping your profile? Baby nanny Who Always Look into My Album?? Who loves you? Who has Viewed Your profile? Who had read my profile? Who often check my album? Whos viewing my profile Who always Block me? Who is reading your information? Who love you?
We have notified the Facebook Security Team and are working with them to protect users against these malicious applications.
We also suggest that you install our Defensio application for Facebook. It will check your wall and any post for spam and malicious messages.
Security Researchers: Erik Buchanan and Jason Pope
