Another Facebook Scam: “Secret Crush”

This one with malicious “adware.”

One of the things about Facebook that has most concerned me is the proliferation of “apps” or “widgets,” those sometimes fun, sometimes annoying add-ons like “Scrabblicious,” “Six degrees,” and “Superlatives.”

Specifically, it bothers me that these apps ask you to hand over your entire profile and all its goodies in order for you to run them. Most people just blow through the installation process, blindly saying “yes” to everything in order to get to the app, not noticing that they are agreeing to let the app have unlimited access to all of the information they have ever put into Facebook, and essentially authorizing the app’s creators to do anything they want with that information.

Yesterday it was revealed that running the “Secret Crush” app (and at least a million people have already done so), installs an “adware” widget on your computer. The adware widget tracks your Web browsing (not just your Facebook activity) and launches annoying pop-up windows.

Here’s the story from Wired.

Here are a few excerpts from the Wired story:

According to an advisory from security software vendor Fortinet, the “Secret Crush” application prompts users to install ad-serving software from Zango, a company that was fined $3 million in 2006 by the feds for letting third parties install its adware without user consent.”

…the link to Zango’s software came through a sly iframe, a HTML code often abused by online scammers to attempt to install truly malicious code on people’s computer without their consent or knowledge.

Manky thinks such attacks will become more and more common on social networking sites, as users get accustomed to installing add-ons to their profiles and trust that sites like Facebook are safer than the larger internet.

This is exactly the kind of abuse of (badly-placed) trust that I’ve been complaining about when it comes to Facebook. More information about the Zango adware attack is available here, at ZDNet, in a blog article revealingly titled “The next hacker frontier: Social networking sites.”

To be fair, this is not an attack by Facebook, it is an attack by a company using Facebook as a vehicle. But the fact remains that Facebook was designed (by Facebook) expressly for this kind of thing.

What do I mean by that? I mean that Facebook was designed from the ground up to break down people’s fears and concerns. Instead of encouraging good privacy and online safety practices, it is designed to exploit the (false) sense of security people feel when they are surrounded by friends, and to encourage them to act recklessly. It is social engineering in which a facade of “fun” masks the real purpose, which is to monetize your every thought and move.