Facebook hack fuels Web 2.0 concerns

Researchers at security gateway vendor Fortinet have uncovered an adware-distribution scheme being carried out on the Facebook social networking site considered to be the first attack propagated on the wildly popular online portal.

Disguised as a legitimate "Secret Crush" request on the site designed to inform Facebook users about other members who find them attractive, the application instead attempts to secretly install an adware program made by Zango after it has been successfully downloaded, according to Fortinet.

Zango officials denied that the Secret Crush program installs their adware program secretly, however, claiming instead that the application leads Facebook users to a Web page where they are given the opportunity to opt-in to use of its software by choice and presented with a legitimate end-user licensing agreement.

The Secret Crush program also tries to lure people who download the file to pass it along to other Facebook members they know, according to Fortinet's research.

The security vendor also contends that as many as 3 percent of Facebook's almost 60 million registered users have already downloaded the adware-bearing program.

And while it appears that the attack has been unearthed by Facebook users themselves as worthless -- as the program does not actually deliver the social networking function it originally promises and has been highlighted as such on the site by people who have already downloaded it -- Fortinet experts said that the threat should be viewed by users of the portal, and its operators, as a sign of more dangerous attacks that will come.

Facebook officials did not immediately respond to calls seeking comment on the Secret Crush adware threat.

Dubbed specifically as a "malicious widget" by the security researchers, the attack illustrates the growing capability of badware distributors to tap into the trusted relationships fostered among users of social networking sites to pass out their latest threats.

MySpace, an even larger social networking site with an estimated 250 million users, has been subverted on multiple occasions by malware attackers during the last year.

"The main thing people haven't realized is that in the current threat landscape, where all the threats are monetized, traffic equals money in the eyes of the attackers, and you can find more traffic than ever at these social networking sites," said Guillaume Lovet, a regional manager of Fortinet's Threat Response Team.

Lovet said that because Facebook and MySpace users tend to trust content coming from members they are already familiar with, the social networking sites, when compromised, represent an ideal opportunity for malware distributors seeking a new environment to carry out their scams.

"At its core, Facebook is an incredible online marketing tool, people are on there openly providing their names, birthdays and a wealth of other information about their religious and political views, or their favorite books and movies," Lovet said. "If attackers have access to all that data, they can use it to craft attacks and use popular demographics they discover to create additional threats that tap into any of those themes."

For instance, if attackers are able to mine Facebook profile data to deduce that a large number of people within a certain age group have recently seen a particular movie, they might attempt to create a threat that poses as content related to the film and send it out to everyone who fits in that demographic, Lovet said.