My recent blog post on the possible “Facebook Worm” seems to be making an effect in security circles. Within 24 hours I quickly got this e-mail from Zango making sure their name was not associated with it:
Hello Jesse,
I am writing to you about the above entitled post. I first want to clarify that we (Zango) had no involvement with the “Secret Crush” Facebook widget. Matt Hines of InfoWorld clarified that in a blog post in January. You should take a look at: http://weblog.infoworld.com/zeroda)y/archives/2008/01/zango_strikes_b.html.
Mr. Hines’ blog post was spurred by our thorough investigation, which began with a blog post (http://blog.zango.com/PermaLink,guid,94c0e12c-c69e-484f-81b8-b8b58953d71b.aspx) and ended with another post (http://blog.zango.com/PermaLink,guid,b148693d-dbb7-48b9-a102-af336768a424.aspx) and press release (http://www.easyir.com/easyir/prssrel.do?easyirid=83181A68A6B07C97&version=live&prid=345840&releasejsp=release_21).
So to answer your question: Since Zango was not inovlved, we are not associated in any way with Secret Crush. Now, could Secret Crush be doing dubious things? Very possible. Have you contacted Facebook to let them know? If not, I will do just that, as we’ve had some contact with them.
I hope that you’ll revised your post in some way and, as always, am available to discuss further, etc.
Thanks,
SJS
Steve Stratz
Director of Public Relations
Zango
The following day, I received an e-mail from the security company, Fortinet, asking if they could publish a security advisory on the threat. They mentioned they didn’t think it was necessarily a “worm”, per se, but rather what they call “Spam 2.0”. This brings to question, are we in a new age of Spam? Now, instead of hijacking a person’s e-mail account and sending out spam messages over SMTP e-mail, spammers are now hijacking your Facebook and other social accounts, and posting their links and messages on your walls, and statuses.
The question now becomes, is it still related to the Secret Crush application? I find it hard to believe with the problems they had in the past, and with them posting “totally hooked on the crush calculator” within the user’s status message that they wouldn’t have some involvement, but then again, the spammer could just be using a hijacked application at the same time they are using the hijacked user’s account. As Fortinet mentions, this has been happening on Myspace for quite some time now – it is only recently that we’re starting to see the same on Facebook.
The advantage these social networks have over traditional e-mail to combat spam is that your account requires a password to hijack. If you keep a good alpha-numeric, non-dictionary-based password, spammers can’t exist! You can read more from the Fortinet article here:
http://www.fortiguardcenter.com/advisory/FGA-2008-08.html
Also, PC Magazine’s blog wrote on it recently:
http://blogs.pcmag.com/securitywatch/2008/03/facebook_worm.php