Visit our official website APAJR Lab


Friday 12 April 2013

Facebook Apps Promise Change but In Reality Phish Your Information | .::APAJR::.

| |
URL Redirection flaw in Facebook apps push OAuth vulnerability again in action



Spammy Facebook apps are nothing new, the web giant has been dealing with suspicious behavior apps since the website launched the Facebook Platform for developers in 2007. As an open source app development tool, anyone can create an app, including people who really just want to steal your information, and your money.
With cyber crime  including identity theft, on the rise, more Facebook users should begin to pay closer attention to what they click on, especially if it is shared in a spammy way. Sophos reports that nearly 60,000 people have clicked on one scam in particular, which is one that promises to allow you to see who has viewed your profile. The app automatically posts a comment to the users timeline, and sometimes posts as a photo with the message ‘OMG OMG OMG… I cant believe this actually works! Now you really can see who viewed your profile ! on (link here).


facebook hack


The app does not actually allow users to see profile views but instead leads them, and anyone who clicks on the link posted to their wall, to a phishing scam designed to steal personal information. And despite the red flags, Sophos, who tracked a single link through bit.ly, found that more than 58,000 people clicked on the link before it was shut down.

Real Life Example

Another all too common Facebook phishing app is the ‘Facebook Colors’ app which can appear as ‘Facebook Green’, ‘Facebook Red’, or in the case of this demonstration ‘Facebook Black.’ The following app was installed on a computer with a fully working antivirus including a link scanner.


facebook hack


First, Facebook Black demonstrates a couple of spammy properties right off the bat. Typically when real people post, they do not post a photo and a comment, which is the first sign. Second, most will say something other than ‘check it out’. Last but not least, if you see more than one person posting the same comment with a link, you definitely have a spam app on your hands. For anyone looking forward to installing a black Facebook let’s look at where this particular app goes.


facebook hack


What this shows you is that despite being advertised as a Facebook application, it’s actually a web browser app. You will have to allow it on your Facebook first, but will then be asked to allow it in your browser. Should you install it to test it out yourself, you can uninstall it via your browser applications. After clicking ‘add’ you would expect to be taken to a ‘black’ Facebook. Instead, you get this page.


facebook hack


You can click on any of the three ‘ you've won’ options, although I tested all three and while two led to phishing websites, one was actually broken, which is more than a little hilarious. The broken link actually goes to this page.


Which is absolutely nowhere, and just about the safest you will get with this particular app installed on your browser. One of the other links was slightly less benign, and was actually picked up by the linkscanner on the browser.


facebook hack


Many Facebook scam and phishing apps promise users things that seem hard to resist. Options such as profile personalization, viewing people who spend time on your profile, and even some games can instead steal your information or spam your friends with malware and viruses, and post items on your wall without your permission. Most of these apps are designed to make money for the maker in some way or another, and usually that money is made off of you.

Warning Signs

Most apps on Facebook are perfectly benign and can be used without a problem. There are however a couple of basic signs you can look out for to help with recognizing scam and phishing apps.



  • Automatic tagging and sharing links

  • Automatic Commenting and sharing links

  • Automatic Invitations

  • Promised Features That You Haven't Already Seen in Use

  • The App Vanishes With No Results After Being Installed


Removing a Spam or Phishing App from Your Facebook

If the app you have installed includes any of the following signs, you might want to remove it as quickly as possible. The current version of Facebook allows you to completely control which apps have access to your profile by clicking the small gear in the upper lefthand corner. From there, you can click ‘settings’ and then ‘apps’ from the app page. You can remove anything in the apps that you are not familiar with or did not install.

If the app has in fact installed to your browser, you can likely uninstall it by going into tools and then extensions or add-ons depending on which browser you are using.

Studies show that identity theft is once again rising to become the most popular scam. Phishing emails and apps are the easiest way to steal identity including name, phone number, credit card information, and even home address. An estimated 12.6 million Americans were the victims of Identity theft in 2012, a number that is nearly as high as the 2009 record of 13.9 million. The only way to protect yourself is by exercising caution and thinking before you click.



0 comments:

Post a Comment

Powered by Blogger.