Facebook widget installs Zango spyware

Fortinet Global Security Research Team discovered a malicious Facebook Widget actively spreading on the social networking site which ultimately prompts users to install the infamous “Zango” adware/spyware.

The malicious widget, called “Secret Crush” first appears as a Facebook request, as shown below in Figure 1:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a “crush” on the targeted user. This is actually not the case, as discussed further below.

Clicking the “Find Out Who!” button leads to the standard third-party application install page (see Figure 3 below), essentially stating that the referred application will be granted access to user’s details upon installation.

Such terms of use do not really scare anyone anymore, since they are displayed in all third-party application installations on Facebook. In other words, users have already been seeded with the idea of not worrying about giving access to their personal information. Further, this is a risk one may consider reasonable to take to in order to find out who has a crush on him/her. Intriguing user curiosity is exactly what the social engineering leverages. Unfortunately, as displayed in Figure 4, once the terms are accepted the time for the revelation has not yet come: “Before you can find out who might have a crush on you, you need to invite at least 5 friends!”.

This practically makes the widget a Social Worm. Unlike many social worms, the “Secret Crush” propagation strategy does not rely on phishing or any sort of user-space customization feature abuse (read Fortinet’s primer on social worms). Rather, it relies on pure social engineering which is based on simple manipulation strategies such as “escalation of commitment”. Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process. Even after that step, no crush of any sort is revealed and the abused user is left facing the frame shown in Figure 5 below:

A quick examination of the page source reveals that the frame is hosted on hosted.zango.com, in the affiliates section. Needless to say that clicking on “Download Now” leads to a copy of the infamous Zango adware/spyware. By downloading, the malicious widget authors get rewarded with a fistful of pennies upon each download (which, after a few million clicks, probably sums up to an impressive total).

What happened is reasonably straightforward, sadly. The tremendous success and lightning fast expansion of Facebook (which, albeit resorting to debatable strategies as noted in a previous roundup, is undeniable) empowered the social networking giant with an impressive user base. Needless to say, in a digital world where web traffic equals money, such a user base attracts spammers, virus/spyware seeders, and other ethic-less online marketers like honey would attract flies.

Research provided by Fortinet Global Security Research Team


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss