By Scott M. Fulton, III, Betanews
In the Internet equivalent of the old "whack-a-mole" game, Trend Micro researcher Rik Ferguson -- who helped call attention to the Conficker worm early on -- has this week been calling attention to rogue Facebook applications whose main purpose appears to be to collect users' passwords. Using the usual attention-grabbing headings to grab users (repeating the word "sex" is apparently still effective), these apps redirect users to what looks like a legitimate login page, making users believe they need to log into Facebook again.
The innocuous names lead users to think they point to real Facebook functions like "inbox," rather than third-party apps. When a user clicks on one of them thinking he's using a part of Facebook, the malicious app takes the user to a Facebook login screen, while in the meantime collecting the user's password.
Ferguson first noticed the problem on Monday, with two innocuous seeming apps simply called "Posts" and "Streaming," installed by means of a notification labeled, "sex sex sex and more sex." The trick, he believes, is accomplished by redirecting users to a page hosted by the domain "fucabook.com," which his research has uncovered is being hosted within Amazon's EC2 cloud. That URL might appear in the user's browser window while it's running the built-in JavaScript, but the slight differences in spelling might not stay in the address bar long enough to be noticed. That's because the refresh attribute in the malicious page's <META> element is having the browser refresh itself almost immediately, pulling up the real Facebook login page.
By that time, however, the JavaScript is already running in the background, effectively collecting the password information from the real login page, rather than having to produce a look-alike page.
Yesterday, Ferguson reported that Facebook removed the first five rogue applications he had discovered, only to have six more turn up in their stead. While all this is going on, over the last month, Facebook has been incrementally adding new accessibility features to its Open Stream API, with the purpose of making it easier for developers to publish information into users' streams, and gain direct access to discussion threads and Facebook e-mails.
Copyright Betanews, Inc. 2009