I'm already deeply suspicious of facebook apps. Many of them seem to
be little more than chain letters ("send this to all of your friends") and
many of the "send a drink/snack/smile/ETC" seem to encourage
content-free communication. Also, I'm bombarded by "send a drink,
ETC" requests from friends who I know have something better to do. My
suggestion - sign your messages with a catch-phrase and tell your
friends to ignore anything that doesn't have the catch-phrase.
Facebook disables rogue data-stealing, spamming apps
Summary
Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing login credentials and spamming victims' friends.
Topics
Update: Facebook on Thursday said it has disabled a group of rogue apps that were stealing Facebook user log-in credentials and spamming people.
"We have disabled all of the apps in question that violated Facebook Platform policies," a company representative said in an e-mail.
The apps were discovered earlier this week by Trend Micro researcher Rik Ferguson, who detailed the problems in a blog post.
Here's the original story:
Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing login credentials and spamming victims' friends.
So far, six malicious applications have been identified: "Stream", "Posts", "Your Photos", "Birthday Invitations", "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.
As of Wednesday afternoon, all of the apps were live except for "Stream", he said in an e-mail.
The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!", which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.
That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts".
He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message", with the hyperlink to the phishing site.
On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.
All the apps look and act exactly the same and include ads.
"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.
A Facebook spokeswoman said the company was looking into the matter and would provide more comment later.
Ferguson recommends that Internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.
This screenshot shows evidence of the phishing scam on Facebook.
Credit: Trend Micro
This article was originally posted on CNET News.
Just In
Everybody should deactivate their Facebook account (you can't actually delete it) until Facebook cleans up it's act. My account was hacked and a scammer was sending my friends bogus messages indicating that I was stuck out of town and needed money to be wired. I immediately 'deactivated' my account and have advised all of my other contacts on Facebook to do the same.
You really don't expect Harvard grads to have your best interests at heart - do you ?
You really don't expect Harvard grads to have your best interests at heart - do you ?
We got attacked last week. A friend sent a link with the title "Cool". It dropped a trojan horse on all our facebook friends. I had to have my laptop reimaged 
Major down time
Major down time 
FB how can we steal from you & upset you, our speed is cr*p our apps are rogue why do we even carry on - because we can & the money os quick & easy
its about time this FB showed its true colors....a trojan/virus breeder. Web based storage and site providers like FB need to clamp down on the security of the files being transmitted to storage and viewing. it is irresponsible on their part (since technically, they store it, they own it) for not scanning for such things. Allowing applications to freely roam about is an web based operation offense to shut them down and stop this ramped trojan/virus breeding location.
I think for the most part people shouldn't go
to outside links from facebook unless you know
what it is and if something says your facebook
friend has sent, make sure they really sent it.
It has happened to me a link that some has sent
me supposedly from a facebook friend and then
people spamming my walls and then you the user
gets disabled by facebook, when facebook should
be investigating when something like that to
see if you are the victim of phishing and I
agree that they need to crack down on this
activity and also, becareful to not disable
somebody, because they may be a victim and not
make you look bad, because this has happened to
you.
to outside links from facebook unless you know
what it is and if something says your facebook
friend has sent, make sure they really sent it.
It has happened to me a link that some has sent
me supposedly from a facebook friend and then
people spamming my walls and then you the user
gets disabled by facebook, when facebook should
be investigating when something like that to
see if you are the victim of phishing and I
agree that they need to crack down on this
activity and also, becareful to not disable
somebody, because they may be a victim and not
make you look bad, because this has happened to
you.
Either Facebook, or trusted people acting as a proxy, tests things & validates what's going on.
For things which haven't been tested, they are labeled as such: use at your own risk.
The number of "approved apps" will be very small, particularly at the beginning, but: would you feel better about using a small (but growing) number of apps vs. not knowing anything about all of the apps?
For things which haven't been tested, they are labeled as such: use at your own risk.
The number of "approved apps" will be very small, particularly at the beginning, but: would you feel better about using a small (but growing) number of apps vs. not knowing anything about all of the apps?
... than installing "regular" (any) apps?
Granted, the operating system you use will likely make a difference, but I don't understand how people automagically [sic] believe they are safe?
(See another comment later about getting approval for Facebook apps)
Granted, the operating system you use will likely make a difference, but I don't understand how people automagically [sic] believe they are safe?
(See another comment later about getting approval for Facebook apps)
"..hover the mouse over a hyperlink to see the URL."
doesn't work on facebook's links as everything is scripted into bottons created with flash, and the like and nothing is displayed when you do this. Also the link in the address bar doesn't always change when you click on things. In order to change this they'll need to strip the FB site down and get it back into basic HTML, and java script.. .while i do realize it's nice looking design is what seems to be giving it's popularity, but; it'll ALWAYS be a security hazard as it is.
between that and it takes forever to load the facebook site. probably because they have the site's domain and server in two different places. ever notice that when you login and the status bar tells you connecting to ak.static.fbcdn.net, and b.static.ak.fbcdn.net waiting for reply instead of just facebook.com? Those are two reason's i rarely ever log into facebook. i've always been a bit suspicious of that, since the place the data comes from doesn't match the domain in the address bar.
doesn't work on facebook's links as everything is scripted into bottons created with flash, and the like and nothing is displayed when you do this. Also the link in the address bar doesn't always change when you click on things. In order to change this they'll need to strip the FB site down and get it back into basic HTML, and java script.. .while i do realize it's nice looking design is what seems to be giving it's popularity, but; it'll ALWAYS be a security hazard as it is.
between that and it takes forever to load the facebook site. probably because they have the site's domain and server in two different places. ever notice that when you login and the status bar tells you connecting to ak.static.fbcdn.net, and b.static.ak.fbcdn.net waiting for reply instead of just facebook.com? Those are two reason's i rarely ever log into facebook. i've always been a bit suspicious of that, since the place the data comes from doesn't match the domain in the address bar.
I'm glad I'm not on facebook....not that I would be dumb enough to fall for the fake apps in the first place...but it's sad that more security precautions are not in place from the beginning.
But that's all you hear about nowadays....the raging popularity of MySpace got all the media attention, then it became a haven for predators and viruses, spam, etc....now the same thing with facebook, and Twitter has recently came under fire for the same garbage..
Good riddance I say to all these kind of sites, I don't use them, and even the people I know that do use them will complain about all the stupid spam they get from Mafia Wars, LOL!
If I need or want to let people know what's happening in my life I will give them a call....no need to let the whole internet know everything.
But that's all you hear about nowadays....the raging popularity of MySpace got all the media attention, then it became a haven for predators and viruses, spam, etc....now the same thing with facebook, and Twitter has recently came under fire for the same garbage..
Good riddance I say to all these kind of sites, I don't use them, and even the people I know that do use them will complain about all the stupid spam they get from Mafia Wars, LOL!
If I need or want to let people know what's happening in my life I will give them a call....no need to let the whole internet know everything.
...do you comment on internet articles then?
Social networking sites will continue to grow and evolve. Security concerns will be eventually addressed but security threats will always be there and users have to be careful and prudent in using social networkiung sites and other sites on the internet. The role of Internet is there to stay and in growing economies service delivery will not be possible without using such efficient &effective means.
I myself try to be fairly careful with sites like Facebook. I in fact do not like visiting the facebook home page unless I manually type in HTTPS://www.facebook.com myself and I then verify the certificate details before entering my password information into the web page.
For that matter, it would make me feel much better if ZDNet had encrypted or https: log in pages for their accounts. I would never have created my Face Book account if they did not have a secure way of logging in, as there is too much personal information that Face Book requests in a registration process. Although it is not widely known that it exists, one can use the https: protocol to access the facebook log in page.
For that matter, it would make me feel much better if ZDNet had encrypted or https: log in pages for their accounts. I would never have created my Face Book account if they did not have a secure way of logging in, as there is too much personal information that Face Book requests in a registration process. Although it is not widely known that it exists, one can use the https: protocol to access the facebook log in page.
Facebook is (was) in litigation in canada over cancelled accounts & undeleted personal data. $$$ speak louder than words...
IMHO, it's up to facebook to assure the security of these apps and to ME not t0 use every app that my "fb friends" send me
cheers
paul_saute
Maybe if people got a life, they wouldn't have to go through this shi*
I think sites like this are better for spreading viruses and malware than they are for spreading friendship.I've had to reinstall my daughter's operating system twice...once because of a myspace virus and once because of a facebook virus.she no longer uses either.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
