Rogue Facebook apps start stealing log-ins, spamming

Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing log-in credentials and spamming victims' friends.

So far, six malicious applications have been identified: "Stream," "Posts," "Your Photos," "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.

As of Wednesday afternoon, all of the apps were live except for "Stream", he said.

The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!," which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.

That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts".

He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message", with the hyperlink to the phishing site.

On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.

All the apps look and act exactly the same and include ads.

"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.

A Facebook spokeswoman said the company was looking into the matter and would provide more comment later.

Ferguson recommends that internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.

Original article: Rogue Facebook apps steal log-in data, send spam from CNET News.com