On Monday night I was up late surfing the Web when I noticed a problem (other than the fact that I was up late surfing the Web). It was a Facebook problem, relative to a group invitation I received. The invitation read: "Facebook MessengerTM NEW Facebook Messenger Available Now For News Facebook."
Huh. I decided to check the group. I was met with the following (click to enlarge):
I knew immediately that something was wrong. It was clearly not a Facebook-endorsed application or download site and was also obviously not created as part of the Facebook Developer Network. How did I know this? Well, the URL to the download site and lots of weird characters, namely. There were a bevy of different languages strewn throughout the page. And there was this message:
"Note: You have to Invite your all Friends and tell Them to Download it so you can chat with your friends on FB Messenger and Its Truste Download so Dont Worry about the program." (sic)
Out of curiosity I went to the download site to see what was there (Not recommended -- never click on suspicious links. Do as I say, not as I do) and was met with a really ugly download site for a really ugly tool bar (click to enlarge):
It made me raise my eyebrow for sure. I wasn't certain if there was anything malicious about it, and I'm certainly not qualified to know for sure, so I asked my buddy Damon Cortesi of Alchemy Security to take a look. Interestingly enough, he said the software behind the toolbar (Conduit -- which provides a white label solution others can use) is TrustE certified.
"This is actually another discussion entirely regarding the inherent lack of trust that such sites actually provide. It's somewhat depressing," he said.
Cortesi didn't find anything especially malicious -- and the toolbar itself did appear to be safe and legitimate -- but he did find some questionable links. A bevy of "free SMS" sites included -- so perhaps this is a model for adware if not malware? Or potential click fraud?
"In this day of the ad-supported Internet, page views can be more valuable and cost-effective than malware that will only infect 1 percent of potential victims," Cortesi said. "It's really odd. Some sites are completely legit while others are just derivatives of the shady-ness."
Does it really matter if nothing bad was found? It just as easily could have been malicious. This is group developed on Facebook, claiming to be an official Facebook tool, linking off of the site to a questionable downloadable application. You say, "Well, will Facebook delete it?" They did, but only after I alerted them to the issue on Monday night. And not before the group had more than 1 million users. And it didn't appear, according to Cortesi, that installing the application forced people to join the group. It appeared that people willingly joined this suspect group.
No, really. See below:
When I asked Facebook for comment about the group's removal I received the following response from Simon Axten:
"Our user operations team investigated this group and removed it as well as another similar one. Facebook's policy is to remove intentionally deceptive groups when they're reported to us," he said.
Record scratch. "Reported to us." This is dangerous. More than 1 million of Facebook's users could've been in danger of downloading malware or landing on some sort of phishing scam. The onus is somewhat on Facebook to take more proactive measures when it comes to monitoring these groups and posted links (or maybe incorporating some "you are leaving Facebook warning system" as they do with email messages). Unfortunately at this point in time there is little else Facebook can do.
"Not unless they have a bank of virtual hosts in place that scrape all of their links, automatically browse them and check for malware infections," Cortesi said. "While measures to prevent malware are in place on Google and within popular browsers such as Internet Explorer and Firefox, validating every link in the world's largest social network is a challenge that does not currently justify the investment. Such is the challenge of any organization balancing the inherent risk of doing business on the Internet with the overwhelming rewards."
While Facebook figures this no-win situation out, users need to start paying more attention to the types of groups they join and the third-party downloads they install on their machines.
"This issue once again highlights the inherent trust that users have in social networks and those users' need to be 'cool' outweighing common sense," said Bill Pennington, senior vice president of services, WhiteHat Security. "Mix that blind trust with people who want to do bad things and you've got a volatile cocktail of mob mentality and Russian hackers."