While researching Web sites that host malicious software, Roger Thompson, chief research officer of software security company AVG, noticed something funny. A Russian Web site known for hosting malware was getting lots of referrals from Facebook.
On further investigation, Thompson found the referrals were coming from a Facebook application called "City Fire Department," a game where multiple players respond to emergency calls. The application had been modified to deliver an iframe, which is a way to bring content from one Web site into another.
The iframe serves up code that tries to exploit vulnerabilities in a PC's software. If it finds one -- a process that happens nearly instantly -- it then downloads a fake anti-virus program called Antivirus Pro 2010. Thompson posted screenshots on AVG's blog.
Bogus anti-virus programs have been around for a long time, but they've become an increasing nuisance this year as those who create them seemed to have stepped up their game. When installed on computers, the programs nag users to buy them. The applications, which can cost upward of $60, are generally useless against real security threats.
Thompson thought the people who wrote City Fire Department might be behind the scam. But the malicious code was actually hosted on Facebook, which led Thompson to theorize that the developers of City Fire Department inadvertently had their Facebook passwords obtained by a hacker, after which the application was modified.
The password credentials could have been compromised through a phishing scam, or a developer's PC could have been hacked. City Fire Department's developers acknowledged a problem on Facebook on Thursday.
"The application has been taken offline until we can resolve all issues," according to the post. "We understand the frustration some users are feeling, and we will update with a timeline as soon as we can. Obviously, we would rather have a properly functioning game running instead of a half-working game."
Facebook has been notified. The social-networking site "certainly takes security seriously, and they respond very quickly but the stuff that comes out of left field is hard to defend against," Thompson said.
Three or four other applications had also been modified, Thompson said. Facebook can deactivate the applications until they are cleaned up. The situation also poses a danger to enterprises, who may allow their users access to Facebook through their firewall, thus opening a vector to deliver malware.
"The corporate firewall doesn't provide any security," Thompson said.
Facebook representatives could not be immediately reached for comment.