Facebook's "Secret Crush" malicious widget tricks users

Facebook users faked into downloading adware, security firm says

Facebook "Secret Crush" malicious widget tricks users into downloading adware, according to Fortinet.

A "widget" application used on the Facebook social network site promises to tell you who has a secret crush on you, but instead tries to trick you  into downloading spyware.

That's according to security firm Fortinet, which says it discovered the sneaky Secret Crush malicious code in the last few days, which appears so far to have infected about three million Facebook users.

"Nobody knows who designed this, but this 'Secret Crush' malicious-code widget tells you someone has a 'Secret Crush' on you, and if you want to find out who it is, you first have to invite five friends to use it by using the Facebook invitation process," says Guillaume Lovet, Fortinet's manager for its threat-response team in Europe.            

But the malicious widget, which gets sent to your five selected Facebook friends, never tells you about a secret crush at all.

Instead, Lovet says, the application displays a small iFrame with a download link that will try to infect the user's computer with the Zango spyware software to serve up ads.

"This is the first time we've seen something exactly like this on Facebook, and this 'Secret Crush' malicious widget is a scam because it's deceptive and dishonest," Lovet says. "This is spreading via social engineering." 

Fortinet has reported its findings to Facebook, which has about 50 million users.

Learn more about this topic

Five favorite Facebook widgets for business users

11/14/07

Fortinet's description of "Secret Crush" malicious widget on Facebook

Screen shot displaying the invitation to the "Secret Crush" malicious widget scam

           
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT