We managed to get our hands on the malicious Facebook application that we blogged about twice in the past few weeks. In the video below we're going to dive into it and see what's going on with this app:
For those of you that can't spare the time to watch the video, this is a brief summary of how it works.
- The first part of the code contains Facebook-specific information such as API key, secret key etc.
- It starts off by checking if the app has permissions to post on the user's wall. If it doesn't it will prompt the user to grant it permissions using Facebook APIs.
- It then enumerates the list of friends, picks a random number (in this case it's hardcoded to be 10) and posts a message to the walls of the 10 randomly picked friends.
- A message is then displayed asking the user to click "Continue" to watch the video.
- Yet another page is displayed that loads a thumbnail of a video and overlays the image with a prompt saying that the "FLV Player" needs updating.
- When the user clicks on "Continue", it loads the file videoplayer.php which does a simple redirect to http://www.flvpro.com/downloadfile.php?aff=3447_movies, where 3447_movies is the affiliate ID of the group/person behind the malicious app.
So far we have identified over 100 apps on Facebook that are all working the same way; the only difference is the API and secret keys that are used. In addition to them all working the same way, they also use the same Google Analytics UA ID to track visitor statistics.
Overall the app is very simple and relies fully on social engineering. The numbers from the two attacks we've seen so far prove that despite its slow propagation method (only sending the message to 10 users at a time) these types of attack unfortunately work very well.