Anyone who has installed the third party Facebook application “Secret Crush” is at risk of installing spyware according to this report from security firm Fortinet. Apparently the app entices users by saying “one of your friends my have a crush on you” and then once installed it attempts to download the infamous spyware Zango. The malicious widget authors get rewarded with as much as over $1 USD upon each successful installation, according to Zango’s affiliate program rates (note that as of January 4, the widget changed its name from “Secret Crush” to “My Admirer” and as of today WebWare reports that Facebook has disabled the application completely).
Fortinet reports that over 1 million Facebook users may have been infected due to the aggressive way the application encourages invites to 5 or more friends. Effectively that point where viral marketing meets virus software:
This practically makes the widget a Social Worm. Unlike many social worms, the “Secret Crush” propagation strategy does not rely on phishing or any sort of user-space customization feature abuse (see our primer on social worms ). Rather, it relies on pure social engineering which is based on simple manipulation strategies such as “escalation of commitment”. Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process. Even after that step, no crush of any sort is revealed
This is not the first time that mashups and widget security has been the topic of discussion as you can see some of our earlier reports including Mashups as Hacker’s Dream and Banned Books and the Big Brother Mashup.
It’s likely we’ll see more and more variations of mashups and widgets being used for phishing, spyware and other scams this year. The allure of access to such large user bases and the proliferation of open platforms are going to give security experts a whole new speciality.