As far as malware tricks go, this one is pretty diabolical. Over the weekend, Facebook users started receiving messages saying friends had tried to view their profile but were unable to do so. The message prompts the user to install a third party app, oddly titled “Error Check System.”
The actual text of the message reads: “[Name] has faced some errors when checking your profile View The Errors Message.”
Once installed, the app spams a Facebook users’ friends with the same message and invitation to install the app, and on and on in perpetuity for what could be an information gathering piece of malware.
But wait, it gets worse.
Concerned Facebook users wise enough to distrust application invitations even from friends and run a quick search on “Error Check System” are being double-duped. Either taking advantage of Google’s super-fast real-time Web crawling or imbued with effective SEO techniques, a high ranking result offers up a snippet warning about installing that Facebook application.
However, clicking on the result triggers a script that runs a fake virus scan, what security experts call “scareware.” The fake scan attempts to install a pair of Trojans on a victim’s computer.
“This is an important reminder to all Facebook users that they must exercise caution about which third-party applications they install on their profile,” says security firm Sophos’s Graham Cluley, “and everyone should remember that Facebook does not approve applications before they are made available on their site. You really are putting your trust in complete strangers when you add that next application to your Facebook profile.”
Openness and social networking have been touted as the future of the Web, but clearly bad actors are taking advantage of both. With reportedly 175 million users, Facebook becomes a huge target and the social network may benefit by approaching the third-party application model in the same way Apple has done with the iPhone—by having an internal examine and approve applications to protect users.
Twitter also, which has skyrocketed in popularity over the past year, has some security concerns to work out also. Spammers and scammers are taking advantage of URL shorteners to trick their “friends” into clicking on links to bad neighborhoods. They gain access to Twitter users via hacking accounts, via taking advantage of automatic follow-back scripts, and via Twitter’s own failure to verify submitted email addresses before granting new accounts.
As social networks become a huge part of a huge number of people’s lives, trust and security should be as high on the priority list as monetization.
