Two more rogue Facebook apps linked to Fucabook scam

Adrian Wong · 5th Sep 2009, 01:04 AM

The Problem

Research has turned up two Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.

When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).

Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.

The application then goes on to send spam to all your contacts, without asking for permission of course…

The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.

How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.

So always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use

Trend Micro has informed Facebook of these findings.

UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app.

Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”

“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.

UPDATE 2: 19th August: A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.

UPDATE 3: 19th August app number six just showed up and is unsurprisingly called “Inbox (1)”

UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.

karhoe · 6th Sep 2009, 01:57 AM

Thanks for sharing, but there are also some facebook groups which claim that they are able to allow you to see who 'viewed' your profile by joining the group and inviting 20 other ppl LOL

The_YongGrand · 6th Sep 2009, 09:15 AM

Quote:

Originally Posted by karhoe

Thanks for sharing, but there are also some facebook groups which claim that they are able to allow you to see who 'viewed' your profile by joining the group and inviting 20 other ppl LOL

Oh man, I almost pressed that thing. Fortunately you notified of it!

I never played much applications on my facebook nowadays. Only those boring quizzes. Then, those quizzes, most of them, are either dead inaccurate, or silly. I guess it's just entertainment!

ToyotaFreak · 7th Sep 2009, 10:41 PM

Looks like there's another rogue app currently making the rounds.

Facebook Fan Check Virus Infects Your Account

Also, I suspect that pickupfriends could be a spin off.

Adrian Wong · 7th Sep 2009, 10:53 PM

We all have to be really careful these days.

The_YongGrand · 8th Sep 2009, 08:48 AM

Quote:

Originally Posted by Adrian Wong

We all have to be really careful these days.

And I don't really use Facebook nowadays. Some of those applications are just... suspicious!

5th Sep 2009, 01:04 AM	#1 (permalink)
Adrian Wong Da Boss Join Date: 10 Oct 2002 Location: In front of my ASUS F8V notebook! Posts: 32,299 Reputation: 3574 Rep Power: 75	Two more rogue Facebook apps linked to Fucabook scam The Problem Research has turned up two Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing. When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream). Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same. The application then goes on to send spam to all your contacts, without asking for permission of course… The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack. How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here. So always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use Trend Micro has informed Facebook of these findings. UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app. Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos” “Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above. UPDATE 2: 19th August: A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others. UPDATE 3: 19th August app number six just showed up and is unsurprisingly called “Inbox (1)” UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns. __________________ Dr. Adrian Wong Tech ARP \| Blog @ Tech ARP \| The Free Trade Zone DYKT : The only offshore account I have is at the sand bank? We need PROGRAMMERS and TECHNICAL WRITERS! Contact us if you are a hot shot programmer or technical writer! My items for sale : 50x SD Card \| Memory Stick PRO \| Cyclone Energy Saver \| Seiko SS watch \| Tiger/Carlsberg beer jugs \| Travel Speakers \| Motorola V600 \| Nokia N90 SOLD! \| New Lowepro Mini Trekker AW Other items for sale @ the FTZ : Zalman CNPS9500 LED @ $20 \| Zalman CNPS7700 Cu @ $20 \| Zalman CNPS7000 Cu @ $20 \| Swarovski bracelet watches \| Dell 17" LCD \| Hi-Fi speakers \| English DIVX movies \| HP LaserJet toners! \| Office chairs

6th Sep 2009, 01:57 AM	#2 (permalink)
karhoe Active Join Date: 29 Nov 2006 Posts: 599 Reputation: 11 Rep Power: 3	Thanks for sharing, but there are also some facebook groups which claim that they are able to allow you to see who 'viewed' your profile by joining the group and inviting 20 other ppl LOL __________________ My Blog SPM Timetable 2009

7th Sep 2009, 10:41 PM	#4 (permalink)
ToyotaFreak Hyperactive Join Date: 16 Dec 2003 Location: Perth, Kuala Lumpur, TechARP, The Internet & Bangkok. Posts: 4,094 Reputation: 1613 Rep Power: 26	Looks like there's another rogue app currently making the rounds. Facebook Fan Check Virus Infects Your Account Also, I suspect that pickupfriends could be a spin off. __________________ ToyotaFreak A.K.A. Alister A.K.A. Chanarong. My Facebook-> http://www.facebook.com/profile.php?id=661728346 My iMeem-> http://www.imeem.com/people/hjAYrnW TOCAU-> http://au.toyotaownersclub.com/forums/ Kamei No Rifurijita (Forum dedicated to Eri Kamei. And it's in English!)-> http://www.everything-eririn.net/forum

7th Sep 2009, 10:53 PM	#5 (permalink)
Adrian Wong Da Boss Join Date: 10 Oct 2002 Location: In front of my ASUS F8V notebook! Posts: 32,299 Reputation: 3574 Rep Power: 75	We all have to be really careful these days. __________________ Dr. Adrian Wong Tech ARP \| Blog @ Tech ARP \| The Free Trade Zone DYKT : The only offshore account I have is at the sand bank? We need PROGRAMMERS and TECHNICAL WRITERS! Contact us if you are a hot shot programmer or technical writer! My items for sale : 50x SD Card \| Memory Stick PRO \| Cyclone Energy Saver \| Seiko SS watch \| Tiger/Carlsberg beer jugs \| Travel Speakers \| Motorola V600 \| Nokia N90 SOLD! \| New Lowepro Mini Trekker AW Other items for sale @ the FTZ : Zalman CNPS9500 LED @ $20 \| Zalman CNPS7700 Cu @ $20 \| Zalman CNPS7000 Cu @ $20 \| Swarovski bracelet watches \| Dell 17" LCD \| Hi-Fi speakers \| English DIVX movies \| HP LaserJet toners! \| Office chairs

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Scalar Energy Pendant. Are they a scam?	ToyotaFreak	Lounge	21	7th Aug 2009 12:25 AM
Is Facebook Profitable?	Ahsen	Internet & Networking	3	24th Jun 2009 01:45 PM
Rogue Application on Facebook	ToyotaFreak	Lounge	5	23rd Feb 2009 11:32 PM
New Scam Hitting Malaysia	Adrian Wong	Adrian Wong	10	7th Mar 2008 09:37 AM