Researchers at security gateway vendor Fortinet have uncovered an adware-distribution scheme being carried out on the Facebook social networking site considered to be the first attack propagated on the wildly popular online portal.
Disguised as a legitimate "Secret Crush" request on the site designed to inform Facebook users about other members who find them attractive, the application instead attempts to secretly install an adware program made by Zango after it has been successfully downloaded, according to Fortinet.
Zango officials denied that the Secret Crush program installs their adware program secretly, however, claiming instead that the application leads Facebook users to a Web page where they are given the opportunity to opt-in to use of its software by choice and presented with a legitimate end-user licensing agreement.
The Secret Crush program also tries to lure people who download the file to pass it along to other Facebook members they know, according to Fortinet's research.
The security vendor also contends that as many as 3 percent of Facebook's almost 60 million registered users have already downloaded the adware-bearing program.
And while it appears that the attack has been unearthed by Facebook users themselves as worthless -- as the program does not actually deliver the social networking function it originally promises and has been highlighted as such on the site by people who have already downloaded it -- Fortinet experts said that the threat should be viewed by users of the portal, and its operators, as a sign of more dangerous attacks that will come.
Facebook officials did not immediately respond to calls seeking comment on the Secret Crush adware threat.
Dubbed specifically as a "malicious widget" by the security researchers, the attack illustrates the growing capability of badware distributors to tap into the trusted relationships fostered among users of social networking sites to pass out their latest threats.
MySpace, an even larger social networking site with an estimated 250 million users, has been subverted on multiple occasions by malware attackers during the last year.
"The main thing people haven't realized is that in the current threat landscape, where all the threats are monetized, traffic equals money in the eyes of the attackers, and you can find more traffic than ever at these social networking sites," said Guillaume Lovet, a regional manager of Fortinet's Threat Response Team.
Lovet said that because Facebook and MySpace users tend to trust content coming from members they are already familiar with, the social networking sites, when compromised, represent an ideal opportunity for malware distributors seeking a new environment to carry out their scams.
"At its core, Facebook is an incredible online marketing tool, people are on there openly providing their names, birthdays and a wealth of other information about their religious and political views, or their favorite books and movies," Lovet said. "If attackers have access to all that data, they can use it to craft attacks and use popular demographics they discover to create additional threats that tap into any of those themes."
For instance, if attackers are able to mine Facebook profile data to deduce that a large number of people within a certain age group have recently seen a particular movie, they might attempt to create a threat that poses as content related to the film and send it out to everyone who fits in that demographic, Lovet said.
The inherent power of social networking sites and their ability to allow individuals to find each other and communicate directly will help attackers use people, rather than technology, to spread their latest work in the future, according to the researcher.
People are also more likely to provide more information about themselves or their contacts to an unknown application once they have begun downloading it, simply to gain the initial functionality it has promised, he said.
Fortinet refers to this trend as the "escalation of commitment" effect.
"In the case of Secret Crush, it's worth noting that this is a social worm, not something traditional being spread via some malicious code. It is manipulating humans to pass it along it on their own," Lovet said. "And once people have been pushed into installing an application, it's easier to ask for more information to get them to finish the install. Once people have already invested some of their time, and shared some of their information with a new program, they are far more likely to share even more data to get access to the capabilities it is offering."
Security experts have tabbed the use of social networking sites including MySpace and Facebook for the delivery of malware as one of the most significant trends they expect to emerge during 2008.
As such, many vendors are actively encouraging businesses to block or monitor use of the programs to protect their networks and computers from being infected by nefarious applications.
"Businesses need to adjust their security and usage policies to address the realities of the Web 2.0 world," said Paul Henry, vice president of technology evangelism at security gateway maker Secure Computing.
"Their Internet use policies need to include social networking sites, blogs, and music and video-sharing sites, and the permissions need to be spelled out specifically," Henry said. "Beyond that they need technical safeguards to help enforce those policies where necessary. The troubling part about this is that most companies are still having problems dealing with far more traditional threats."
This article was updated on Jan. 7, 2008.