A "widget" application used on the Facebook social network site promises to tell you who has a secret crush on you, but instead tries to trick you into downloading spyware.
That's according to security firm Fortinet, which says it discovered the sneaky Secret Crush malicious code in the last few days, which appears so far to have infected about three million Facebook users.
"Nobody knows who designed this, but this 'Secret Crush' malicious-code widget tells you someone has a 'Secret Crush' on you, and if you want to find out who it is, you first have to invite five friends to use it by using the Facebook invitation process," says Guillaume Lovet, Fortinet's manager for its threat-response team in Europe.
But the malicious widget, which gets sent to your five selected Facebook friends, never tells you about a secret crush at all.
Instead, Lovet says, the application displays a small iFrame with a download link that will try to infect the user's computer with the Zango spyware software to serve up ads.
"This is the first time we've seen something exactly like this on Facebook, and this 'Secret Crush' malicious widget is a scam because it's deceptive and dishonest," Lovet says. "This is spreading via social engineering."
Fortinet has reported its findings to Facebook, which has about 50 million users.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (8)
RE: Facebook'sBy Jonathan Kleiman on January 4, 2008, 4:27 amThey got the tip from here: www.allfacebook.com/2008/01/when-is-a-facebook-really-a-myspace/
Reply | Read entire comment
Nah, the post onBy Anonymous on January 4, 2008, 11:38 amNah, the post on allfacebook.com is dated Jan 3rd, while Fortinet's advisory is dated Jan 2nd.
Reply | Read entire comment
sheeshBy thicks on January 4, 2008, 12:51 pmIt's sad to believe that there are three million people still out there whom will install anything that sounds cool. Be careful, people!
Reply | Read entire comment
My question, is how sociallyBy LeeD on January 4, 2008, 1:19 pmMy question, is how socially desperate does one have to be to fall for the "find your secret crush" schtick? http://businessopinions.blogspot.com/2008/01/newsflash-not-every-facebook-app-is.html
Reply | Read entire comment
Facebook WidgetBy Karen on January 8, 2008, 8:05 amUnfortunately, it doesn't take much to entice a 17 year old boy. My son got sucked into this trick and it brought in an awful lot of ugly stuff. It took an outside...
Reply | Read entire comment
it's interesting to noteBy Anonymous on January 8, 2008, 11:13 amit's interesting to note they (social hackers) chose Facebook for this exploit rather than Myspace. what does this say about Faebook users?
Reply | Read entire comment
View all comments