Update: Lysa Myers, of West Coast Labs, has confirmed that she knows of a number of people who’ve used the application and didn’t see anything fishy happening. It did offer to send emails outside Facebook but didn’t insist on it, so it’s hard to see where the messages from unapproved contacts are coming from. I’ll follow up here if I find out any more. The application is not currently available.
Facebook is an interesting place to be, nowadays, for a security person at any rate. Of course, there’s the constant issue of how much personal information you should let Facebook have: will it look after your sensitive data properly? (The answer seems to be "not always": there’ve been a number of reports of data that should have been kept private being publicly accessible.)
But then, quite a few people are either volunteering information about their personal life and movements that offers a goldmine of information, not only to identity thieves but to more traditional thieves of the burglarious persuasion.
Then there are all those games, quizzes and other inconsequential apps that all seem to want to mail something out to all your friends.(In principle, I’m not sure I see much difference between these and Koobface, at least in spamminess.) Which brings us to a thing called Fan Check.
Quite a few people are talking about Fan Check at the moment, but mostly in the context of the "Facebook Fan Check Virus" hoax: briefly, the bad guys are using SEO poisoning to ensure that if you look for search terms like "Facebook Fan Check Virus" in a search engine, some of the top-ranking hits you get will be to sites that will try to trick you into downloading a rogue anti-malware application.
It works in much the same way as the Labor Day scams we mentioned a few days ago: the bad guys are very fond of using topical issues. And, of course, fabricating them: I’ve been seeing reports of malware and rogue anti-malware masquerading as sex videos or nude photographs of female celebrities in the past day or two: of course, this is a frequent social engineering ploy.
While Graham Cluley has blogged in some detail on the hoax/scam, neither he nor anyone else has been very specific on what exactly the Fan Check application does, and neither can I: I’ve been unable to access it. I’ve come across some friends who’ve been tagged by it, and it may be that all it’s done up to now has been to tag people in a subscriber’s contact lists and offer a "subscribe here and watch this space" message. However, I’ve seen reports that suggest that it may allow people to send messages to people they aren’t already friends with, which is pretty worrying. I’m trying to find out more, but in the meantime, you might just want to avoid Fan Check altogether and be very cautious about following search engine links on any topical issue.
If anyone reading this has received messages (apart from friend requests) from people they haven’t approved as friends, please contact me (firstname.lastname@example.org): I’d like to know exactly what sort of content is being sent.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET