Two more rogue Facebook apps linked to Fucabook scam

Discussion in 'Internet & Networking' started by Adrian Wong, Sep 5, 2009.

  1. Adrian Wong

    Adrian Wong Da Boss Staff Member

    The Problem

    Research has turned up two Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.

    When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).

    [​IMG]

    Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.

    [​IMG]

    The application then goes on to send spam to all your contacts, without asking for permission of course…

    The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.

    [​IMG]

    How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.

    So always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use

    Trend Micro has informed Facebook of these findings.

    UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app.

    Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”

    “Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.

    UPDATE 2: 19th August: A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.

    UPDATE 3: 19th August app number six just showed up and is unsurprisingly called “Inbox (1)”

    UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.
     
  2. karhoe

    karhoe Newbie

    Thanks for sharing, but there are also some facebook groups which claim that they are able to allow you to see who 'viewed' your profile by joining the group and inviting 20 other ppl LOL
     
  3. The_YongGrand

    The_YongGrand Just Started

    Oh man, I almost pressed that thing. Fortunately you notified of it!

    I never played much applications on my facebook nowadays. Only those boring quizzes. Then, those quizzes, most of them, are either dead inaccurate, or silly. I guess it's just entertainment! :haha:
     
  4. ToyotaFreak

    ToyotaFreak Just Started

  5. Adrian Wong

    Adrian Wong Da Boss Staff Member

    We all have to be really careful these days.
     
  6. The_YongGrand

    The_YongGrand Just Started

    And I don't really use Facebook nowadays. Some of those applications are just... suspicious! :haha:
     

Share This Page