Guillaume Lovet, manager of the threat response team inside Fortinet's Europe, Middle East and Asia headquarters, said that the threat arrives as an invitation to learn who a member's "secret crush" is, but instead tries to seed the victim's computer with adware.
To find out whom their flame is, users must download a widget, he said. Then, they must invite five other friends to install the same widget as part of a "manipulation strategy," Lovet said.
"It's what we call a social worm," he said. "Unlike traditional worms, it doesn't spread by using network APIs (application programming interface) or computer code. It spreads by manipulating human users."
After inviting the friends, users wind up on a page with an embedded IFRAME, which contains a link that must be clicked on to complete the process of learning who the secret crush is.
Instead, Lovet said, users' machines are hit with adware which appears to be from much maligned media company Zango, which last year agreed to pay the Federal Trade Commission (FTC) US$3 million for "unfairly and deceptively" downloading adware onto people's machines.
Lovet said some three percent of Facebook's 60-million-member user base has installed the widget, which may be the first malicious application to appear on the site. A Facebook spokeswoman declined comment.
Steve Stratz, a Zango spokesman, said the company denies any involvement. Upon learning of the alleged risk, the company downloaded the "Secret Crush" application but was unable to find any connection to Zango, he said.
"In addition, our general security monitoring of the Zango network has shown no abnormal increase in installations -- something we would likely have seen based on today's reported usage numbers of the Secret Crush application," he said.
If users did install Zango software, they would be greeted with a full disclosure notice, he said.
"A direct one-to-one relationship with web publishers is key to our distribution model," Stratz said. "Marketing or distributing Zango software via social networks is a violation of our terms and conditions."
The FTC had accused Zango of offering customers free web content, such as screensavers, games and peer-to-peer file-sharing software, without telling them it also contained adware. The adware, provided by third-party affiliates who make money for each successful install, allegedly monitored the consumers' browsing habits in order to display targeted pop-up ads, the FTC said.
Zango apologised to its customers, saying it relied too heavily on the third-party providers to enforce customer consent policies. The company said it would implement new standards required by the FTC.
But in July, spyware researcher Benjamin Edelman published a report saying Zango continues to install pop-up ads without proper disclosure to consumers. Zango, in another blog post, refuted the claims, saying the company "remains in compliance with the consent agreement it reached with the FTC."
Facebook widget leads to adware install
By Dan Kaplan on Jan 7, 2008 2:20PM
Researchers at Fortinet have discovered what they believe to be the first malicious widget to appear on the popular social networking website Facebook.
Got a news tip for our journalists? Share it with us anonymously here.