This week, on two separate occasions, Facebook users were pestered by rogue Facebook applications that spread using a mix of Social Engineering techniques. In the cases of “Error Check” and the latest Facebook application where users are told they have been reported for Terms of Service violations, the rogue apps exploit the trust in social media that some users place blindly.
Rogue Facebook apps lead to issue of trust. Image: Facebook.
The first application, called “The Error Check System”, started showing up in Facebook profiles last weekend. Earlier this week, it had spread to several Facebook users and gained the attention of the press. The application shows up with a warning to Facebook users that some friends have “faced some errors when checking your profile.” There is an included link within the message, which supposedly fixes this issue for the user.
Once the link is clicked however, unlike normal Facebook applications where permission is to be granted before profile information is accessed, the rogue app simply prompts for activation. This activation triggers the “error correction” and grants permission to the user’s profile. The “error checks” will fail to resolve everything, but will offer the user the chance to check their friends profiles for errors, which is how the app spread.
While all of this was happening, Trend Micro noticed there was an instant SEO benefit to the authors of the application.
“The search term “Error Check System” returned results that were actually pointing to Malware and rogue AV applications. It appears then, that the purpose of this Facebook application, other than to steal profile information, is to drive people to Google where dangerous links are ready and waiting.
David Perry, Trend Micro director of Global Education, explained the rogue applications as a “Classic example of where you can cheat the honest man.”
He explains this using the classic Nigerian email scams as an example. The Nigerian emails exploit the greed in a person. That is, the people who wants large sums of money tax free, and while this is a crime, they hope to get away with it, thus they hand over personal information. Error Check works on the same basic level but with a twist, it appeals to a person’s honesty. Most people who fell for this trick were simply trying to help a friend.
“The details change but the heart of it remains that same,” Perry said when discussing the SEO ramifications of the Error Check outbreak. He explains that schemes like this have been seen before, as criminals have been exploiting SEO for a long time.
“Bad guys are no longer armatures. We’re not dealing with a kid in his grandmothers’ basement,” Perry adds. The criminals are exploiting the trust people place in Web search results. After all, if Google displayed the link, then it must be legit.
Search engines are golden eggs. Millions of people use them, so poisoning links is only natural for crooks. With millions of users worldwide, Perry said it is no surprise to see the SEO results when people searched for Error Check.
“The biggest mistake end users can make is to think that criminal’s care who they are as an individual. This is wholesale crime not retail crime.”
When information is lifted from a social networking site, as was the case in Error Check, Perry explains that the ones who pulled it off care little about the person who owns the profile. The information is to be collected, sorted, placed on various lists, and then passed up the criminal chain to be sold.
A second rogue Facebook application again started spreading but was quickly shutdown. This second one alerted users that one of their friends – using a real name from the user's list – had reported them for Facebook Terms of Service violations.
The message: “%friend_name% has just reported you to Facebook for violating our Terms of Service. – This is your official warning! – [Click here to find out why you were reported!] – Request Facebook look at what has happened and rule immediatley.”
When compared to the first application Facebook users were hit with, the poor language structure of the second should have prompted red flags immediately. Interesting observations, considering the first rogue application had spelling errors as well.
In the case of both applications, the ultimate goal appears to have been information gathering. There is the added bonus of SEO, but that would have come during the development cycle of the rogue Facebook applications, as the people who host the malicious AV sites, and developed the Facebook apps are either one and the same or working as a team.
Some questions raised by both security professionals as well as the Facebook community ask why Facebook isn’t altering the policy on hosted applications. In light of this new series of developments, there is clearly a need for something on Facebook’s side of things to change. The question is, what and how? Facebook simply cannot revamp the entire application hosting policy, something that attracts users and fuels the service's business model.
Another question, one that has been around for some time, is should we trust social media and social networking? Millions of profiles are online, but the information posted to them can be used against the user. Sometimes, it can cost you your job. Sometimes it’s personal information, and other times it helps criminals gain access to networks and information, as demonstrated recently by pentesters.
There are tons of tips and pieces of advice on social media and social networking precautions, but perhaps the single best one to bear in mind at all times is just be aware that anything personal you place online is there forever, and it can be discovered. Often, it’s discovered at the exact moment that you wish no one will ever find it.
[Note: Images are copyright www.allfacebook.com and used with permission, courtesy of Nick O'Neill.]
[Updated to add comments form Trend Micro]
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story