Attacks via social networks continued their steady march on Tuesday, as an untold number of Facebook users unwittingly found themselves caught up in a spam run that pointed friends to premium mobile entertainment Web sites.
The Facebook attack was first reported on Monday by fan site All Facebook. The attack spread via Facebook Wall posts purporting to offer gifts in exchange for users’ participation in a survey.
“I thought this survey stuff was GARBAGE but i just went on a shopping spree at [popular retailer] thanks to FB,” the spam messages read, and named leading retailers like Best Buy and Walmart, according to a post by researchers at anti malware firm F-Secure.
The wall posts purported to be via “mobile Web,” suggesting that a mobile phone was used to post the spam messages. Users who participated in the survey were asked to provide e-mail as well as other information such as cell phone number.
The links used in the attacks pointed to what appear to be Facebook applications with URLs that began http://apps.facebook.com/ and included applications with names like pudgyfish, purplelake, yummychips and so on. Users who clicked on the spam links would load the application, which would then automatically post the spam message to that users wall and send Facebook spam messages advertising other suspect applications to all of that user’s Facebook friends. Attempts to load those links on Tuesday resulted in “Page Not Found” errors, and searches of Facebook’s stable of applications failed to turn up any record of the named applications.
The spam run appeared to leverage a previously unknown vulnerability in Facebook’s application platform that allows applications to post to a user’s Wall and hijack the Facebook messaging system without any interaction by the user. In an analysis of the links on Tuesday, F-Secure said the Facebook.com links redirected users to one of a variety of premium “entertainment” Web sites for mobile devices.
This isn’t the first time Facebook has been used by spammers. In October, 2009, a large spam run hit Facebook users with fake password reset messages that tricked them into downloading a malicious program. In November, 2009, a worm spread across the social network, altering user profiles to push links to adult Web sites. In June, the company introduced a new requirement that require Facebook developers to have active Facebook accounts. On Monday, micro blogging site Twitter took steps to staunch a spam run on its social network that took advantage of a previously unknown cross site scripting hole.