February 7, 2011

Viral and Malicious Facebook application for $25

Elad Sharf Security Researcher

During last weekend a viral rogue app campaign hit Facebook again. This time the application was called "Profile Creeps" which, like many other rogue applications before it, promises to do what Facebook simply doesn't allow *ANY* app to do - let us know who looks at our profile. But users are still tricked into installing apps that promise to do just this. And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app. 


Viral Facebook Application Toolkits

Spam campaigns such as this one appear on an almost daily or weekly basis. You might ask yourself: is everybody now becoming a Facebook developer and trying to make tons of cash unleashing those annoying surveys? In essence, the answer is both a "yes" and a "no". No, not everybody is a Facebook developer, yes it's very easy to take on the experience and become one - or pretend to be one. You don't have to be a developer, but a mere $25 can buy you a Facebook viral application toolkit and unleash all the unwanted content you want onto Facebook.  

As an example, let's look at a very similar fraudulent application that "can" allow Facebook users to know who "creeps" at their profile, called "Facebook Profile Creeper Tracker Pro". The application asks for some permissions, shows an online survey/advertisements and tells the user at the end of the process that he/she is the one that looks at his/her own profile the most. In other words, this application should be revoked according to the terms and conditions of Facebook.


"Facebook Profile Creeper Tracker Pro" and similar fraudulent applications process:

This application was built with a pre-defined toolkit called "Tinie app" which is a Facebook viral application template available in some variations for only $25 or even less. The next image is one of the template images in the toolkit that aims to give some directions to the buyer, besides the full-blown step-by-step guide that comes with the kit itself:


The buyer doesn't have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal. One of the sellers of the application describes its purpose pretty well: 


If you're wondering what CPA lead is, it's the abbreviation of Cost Per Action. It's a program that any Web content publisher can join that allows them to install a survey on their site in order to make money. The cut with those programs is around $0.20-$2.00 and could be more or less. 

This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam. 

To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from Defensio.com.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.