Hi folks,
All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)
The first one we noticed was CityFireDepartment, which seems to be a sort of online game that allows a player to become a fireman. (Please DO NOT GO to this application until it is cleaned up).
This is how it’s supposed to look… (Click image to enlarge)
But what you see instead is something like this (especially if you are not patched)…
If you’re not patched, the next thing you see is this… (note the “Your computer is infected” warning in the bottom right corner of the screen):
Followed by…
And if you have a nifty change notification tool, like WRremote, you’ll see that you are already nailed, with sys files already having been installed.
At first, we thought this was a deliberate hack attempt by the developers, but when we looked at the source code for the web pages, we found this iframe injected into the source…
Interestingly, this line changes at least once a day, and calls to a different exploit site, so the Bad Guys are still exploiting the hole, whatever it is. And also interestingly, some of their users are also telling them they have a problem. Here are some of the comments...
Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the DataSnatchers are using to hack the applications.
The other applications where we have detected the hack include (we don't include direct links to them in order to save you):
- MyGirlySpace
- Ferrarifone
- Mashpro
- Mynameis
- Pass-it-on
- Fillinthe
- Aquariumlife
There could easily be lots more, but that’s what we’ve noticed with this particular hack.
It’s a tricky world out there folks, keep safe.
Roger
And last but not least - AVG 9 is here
Hello
This is really very good article.I had not any idea about it.Now people should be careful about it.Thank you very much for addressing about it.I appreciate you.
Posted by: vitamines | October 24, 2009 at 08:01 AM
Brent asked if we looked at the language the attack sites were written in to see if they really were Russian.
The short answer is "No"... there's generally nothing on the attack web sites other than javascript.
Posted by: Roger | October 21, 2009 at 09:43 PM
David asked what WrRemote is.
Hi David, it's an internally developed research tool. It's pretty useful. Sorry, but it's not available. There is, however, a commercial tool called Pc Surgeon from Dean Software that offeres similar functionality.
Posted by: Roger | October 21, 2009 at 09:40 PM
Roger, isn't it truwe that .RU sites don't have to come from Russia. This one in fact is based out of France. Could the hackers be from another country besides Russia? Were you able to see the language of the malware to determine it's origin?
Posted by: Brent Slayer | October 21, 2009 at 07:48 PM
Wonder how much of this is due to the app developers including ads in their apps. I've noticed that a lot of the apps I've looked at on FB have some of their own embedded ads (in addition to FBs ads) so if the ad server or the conduit to the app is hacked, the app could serve up these fun little trojans.
-Robby
Posted by: Robby D | October 20, 2009 at 06:46 PM
@Roger: yeah!I felt a little frighten when I saw the "connect with Facebook" button, especially after reading the article on top.
Posted by: David Ho | October 15, 2009 at 11:40 PM
May i ask what WRremote is ?I want a software like that but i can't find any.
About the infection: when the Adobe thing appears the first time, my computer will be infected right away or after I push any of the buttons on that Adobe thing. And is it OK if I just "end task"(windows task mangager).
Thank you.
Posted by: David Ho | October 15, 2009 at 11:37 PM
More than mildly amusing, but, hey.... I'm not against FaceBook. I think FB is _great_ fun, but you do have to be careful. I come from Australia, where we do sharks (and things that sting and bite) exceptionally well, but everyone loves to go the beach. :-)
Posted by: Roger | October 15, 2009 at 03:25 PM
I found it mildly amusing that, after reading this article on the dangers of facebook apps, there was a nice "connect with Facebook" button right at the bottom of the article. We simultaneously warn about the sharks swimming in the waters, and invite people into the waters.
Posted by: Paco Hope | October 15, 2009 at 03:15 PM