Secret Crush Facebook App Installing Adware, Security Firm Charges - Via Threat Level:

An internet security vendor is warning that a Facebook application that promises to tell you if any of your online friends harbor secret lust for you actually just wants you to install adware and help spread its infection, though the company that makes the adware says it can't duplicate the result.

According to an advisory from security software vendor Fortinet, the "Secret Crush" application prompts users to install ad-serving software from Zango, a company that was fined $3 million in 2006 by the feds for letting third parties install its adware without user consent.

The Secret Crush application, created by an Australia and U.S.-based firm called Mobile Messenger that also runs the My Luv Crush site, shows up as a request in a user Facebook application from a friend. The message implies that one of your friends has a secret crush on you. 

Once you add the application to your profile, the application's terms and services says the company will charge $1.25 a day to send SMS horoscope messages to a Facebook user's cellphone if it is provided. Users complained more than a month ago about the service, but did not mention the installation of adware.

Fortinet researchers did not encounter the cell phone question. Instead, they describe "Secret Crush" as a "malicious Facebook Widget (officially, a "Platform Application") actively spreading on the social networking site which ultimately prompts users to install the infamous "Zango" adware/spyware."

Some four percent of Facebook users have downloaded the application, likely meaning nearly 1 million people may have added the application in recent weeks. 

But Zango spokesman Steve Stratz says its investiagation so far has not been able to reproduce the Zango download in Secret Crush and has not detected any abnormal increases in installations of its software.

Zango's software displays pop-up ads in exchange for letting users access the company's proprietary content such as Flash games and videos.

Stratz also contends that the download pictured in Fortinet's warning would not install their software without a full consent notice since the download is coming from its default installer url.

"This installer contains a complete and conspicuously disclosed plain-language notice and consent process that, if available to consumers, would provide full notice and disclosure relating to Zango software," Stratz said.

Derek Manky, security research engineer at Fortinet, describes the download file as "greyware" since some customers may actually want the software, though most do not.

Manky points out however that the link to Zango's software came through a sly iframe, a HTML code often abused by online scammers to attempt to install truly malicious code on people's computer without their consent or knowledge.

Like other researchers, Manky thinks such attacks will become more and more common on social networking sites, as users get accustomed to installing add-ons to their profiles and trust that sites like Facebook are safer than the larger internet.

"There are a lot of new users on social network sites who are running unpatched systems and we are starting to see thise in the cyber crime territory are moving away from spam to sites like this," Manky said. "People are a lot more trusting with social networking sites. This is not going to be the last of these we see."

Mobile Messenger lists no contact information beyond a customer opt-out hotline, where THREAT LEVEL left a message with a very cordial human operator.

See Also:

• Fraudsters Target Facebook With Phishing Scam
• Facebook Private Profiles Not As Private As You Think They Are ...
• Sanctioned Adware Firm Still Rogue, Critics Say: Updated
• In Message to Industry, Government Fines Adware Purveyor $3 million
• RSA Conference Computers So Faux Secured

Screenshot courtesy Fortinet

(Read Original Article - Via Threat Level.)