17Apr '11

Facebook Viruses and Social Engineering

The other day, a friend of mine on Facebook reposted a message like this:

“Watch out for four awful new facebook viruses!!! These will DELETE EVERYTHING ON YOUR COMPUTER! 1. If you see a XYZ, then DO NOT OPEN IT!…2. If you get a message saying…. Warn all your friends!”

…and so it went on.  This is a straightforward hoax as described on this page at hoax-slayer.com.  There’s no way that a Facebook app can directly affect your computer in any of the ways that the warning lists.  There are plenty of viruses out there, and your computer needs protection from them, but they won’t come directly from Facebook.  For whatever bizarre reason, someone created the warning and circulated it, so in a sense the hoax warning *is* the virus.  There’s a long history of these, discussed on this wikipedia page.

But today my wife called me over to see a Facebook app that was asking her to do something a bit strange – a “5 second security check to confirm you’re a Facebook user”.  It wanted her to drag a “unique ID” – {3823-9893 3837-2837-0090} – to the address bar and press F6.

Turns out this is a clever but nasty way of getting you to run some malicious code which will spam your facebook friends with a message.  I’ll talk about how that works in a moment, but first look at this picture which shows the warning signs that immediately alerted me that this wasn’t an “Official Facebook App”:

Facebookvirus
The incorrect font on “FACEBOOK SECURITY” was the first thing that I noticed, and then the fuzziness on the text beneath (if this was made by Facebook it would be absolutely perfect).  The repeated stresses on “genuine” and “official” also marked it out as anything-but.

 

OK, so having established that the app is malicious, how does it work? On the face of it, dragging the number to the address bar can’t do anything at all… can it? In this case, the number itself doesn’t do anything… but it’s a special type of link called a Bookmarklet, which runs Javascript code in your browser.  They’re really useful and don’t have to be evil – but this one is.  It downloads a bigger script from another site – http://aagps3hh.facebook.joyent.us/s_9/a.js for those interested (don’t run it!) which from a brief look sends spam to a bunch of your facebook contacts.  The script is well commented though so it’s obviously written by a malware author with a concern for maintainability!

 

SO what’s the moral of the story?

 

  • Facebook “Viruses” don’t exist, but if an app can persuade you to do something strange, it could do something bad.
  • Don’t forward warning emails to all your friends, or requests to collect crisp packets, boycott Proctor and Gamble because they worship the devil or beware LSD in kids’ stickers . Instead, check sites like Hoax Slayer or Snopes first – or even just google for the exact text in the message.
  • If a web page or application claims to be official or genuine, but the fonts / colours / attention to detail doesn’t match the standard you’d expect from the company / bank / facebook / whatever, think twice
  • Never, ever do weird stuff involving dragging links to your browser bar.

I’m always happy to give advice if you’re unsure!

 

 

One comment

  1. thanks soooo much i nearly did it :s

Leave a Reply

Your email address will not be published. Required fields are marked *

*