Another Facebook Scam: “Secret Crush”

This one with malicious “adware.”

One of the things about Facebook that has most concerned me is the proliferation of “apps” or “widgets,” those sometimes fun, sometimes annoying add-ons like “Scrabblicious,” “Six degrees,” and “Superlatives.”

Specifically, it bothers me that these apps ask you to hand over your entire profile and all its goodies in order for you to run them. Most people just blow through the installation process, blindly saying “yes” to everything in order to get to the app, not noticing that they are agreeing to let the app have unlimited access to all of the information they have ever put into Facebook, and essentially authorizing the app’s creators to do anything they want with that information.

Yesterday it was revealed that running the “Secret Crush” app (and at least a million people have already done so), installs an “adware” widget on your computer. The adware widget tracks your Web browsing (not just your Facebook activity) and launches annoying pop-up windows.

Here’s the story from Wired.

Here are a few excerpts from the Wired story:

According to an advisory from security software vendor Fortinet, the “Secret Crush” application prompts users to install ad-serving software from Zango, a company that was fined $3 million in 2006 by the feds for letting third parties install its adware without user consent.”

…the link to Zango’s software came through a sly iframe, a HTML code often abused by online scammers to attempt to install truly malicious code on people’s computer without their consent or knowledge.

Manky thinks such attacks will become more and more common on social networking sites, as users get accustomed to installing add-ons to their profiles and trust that sites like Facebook are safer than the larger internet.

This is exactly the kind of abuse of (badly-placed) trust that I’ve been complaining about when it comes to Facebook. More information about the Zango adware attack is available here, at ZDNet, in a blog article revealingly titled “The next hacker frontier: Social networking sites.”

To be fair, this is not an attack by Facebook, it is an attack by a company using Facebook as a vehicle. But the fact remains that Facebook was designed (by Facebook) expressly for this kind of thing.

What do I mean by that? I mean that Facebook was designed from the ground up to break down people’s fears and concerns. Instead of encouraging good privacy and online safety practices, it is designed to exploit the (false) sense of security people feel when they are surrounded by friends, and to encourage them to act recklessly. It is social engineering in which a facade of “fun” masks the real purpose, which is to monetize your every thought and move.

16 thoughts on “Another Facebook Scam: “Secret Crush”

  1. You make me laugh, but not in a malicious way, but in a fun way. Every time you post an rant about Facebook I imagine you discovering another annoying trait, raising your fists in rage, scrunching up your face and going “BASTARDS! ARRRGH!”

  2. Captain Blork! Fighting all manners of Facebook crime. I think you need your own video game. Now if only we knew someone who could…

    But seriously, thanks for the heads up. Us lazy people are relying on you! I’ve already rid myself of Secret Crush and Superlatives…they just seemed too suspicious. I kept Six Degrees (couldn’t resist as that’s the name of my company), but I’m afraid it too will have to go.

  3. Why does this somehow remind me of that Bob and Doug Mackenzie sketch where they tell you how to screw over THE MAN by using slugs in parking meters, eh?

    I have to agree with Alston here. “Get off my e-Lawn, you damn kids!”

    Facebook wasn’t “designed from the ground up” to break down compost, let alone people’s fears; it was the web version of the paper “facebook” given to help learn the names of people on campus at Harvard.

    That said, out of greed, they’ve made some truly terrible decisions as regards user privacy since then. Their default settings should be to preserve maximum privacy, and then allow people to toggle granular access to parts of their profile.

    I can understand data mining in aggregate, and using AdWords on certain pages, for instance, but if they were truly concerned about privacy, they’d put notices in 24-point plain English, the way Flickr does, when people enable a 3rd-party application.

    I think they need to re-read _Defensive Design For The Web_, by the 37Signals bunch.

    But overall, people wouldn’t use Facebook if it didn’t fulfill its mission rather excellently, which is to “connect users with the people around them.” I can easily jettison all those other 3rd party apps and just use the core functions and I’d be perfectly happy. It actually does a lot of things really well, which is why people abandoned Friendster and similar services for it.

    Surely you get some value out of it, otherwise you wouldn’t use it. I think we’re all very curious to read about the many positive experiences it has brought to your life. Hint hint.

  4. Bah, Facebook is *so* 2007! LOL!

    I don’t need my fears broken down and I certainly don’t want to “connect with the people around” me more than I already do, so I started out being anti-Facebook. Now I don’t even bother with the “anti”. I’m just not interested. (Buy boy am I glad people have stopped trying to convince me like it’s some cult!) Nope, now I just sit back and wait for the shit to hit the fan, knowing there’s a possibility that the result will be me, left almost alone, while everyone communicates exclusively via FB. Frankly, neither option bothers me.

    What I find very funny however is to hear about the weirdness FB creates. Your boss asking you to be his friend? Is that really a healthy thing? (I understand it can be, but 99% of the time? bad juju!) Knowing that your cubicle mate is drunker than drunk or crying her eyes out — do you really want your colleagues to know that much about your free time? I worked in an office this fall and the plots and subplots related to FB were numerous (and quite stupid, not to say incredibly unprofessional). Then again, this isn’t a problem created by FB: FB only highlights that many, many people have to rethink their boundaries. At least if ever I interview for a job again, the person interviewing me won’t be able to go ask all my “friends” what I’m *really* like, lol!

  5. OK, I’ll admit that “from the ground up” was an exaggeration. How about “was RETHOUGHT from the ground up” once Zuckerberg and his investors saw the potential?

    AJ, I think you’re still making the assumption that Facebook “made mistakes” with privacy. I’m suggesting those “mistakes” were part of the plan, and part of the design. The only mistake was not realizing the extent to which people would figure it out and object.

    The people behind Facebook don’t care about privacy. If they read the 37 Signals book you mention it would only be to find ways to defeat the suggestions in it.

    Saying they should have taken cues from Flickr or 37 Signals is like saying Dick Cheney should have taken advice from the Dhali Llama in order to avoid the Iraq war. That would have been meaningless, because Cheney WANTED to go to war with Iraq! He and his cabal have wanted that for years. The revenue opportunities! Woo hoo! (E.g., according to The Raw Story, Cheney’s Halliburton stock options appreciated by more than 3000% in 2005. By then, Halliburton had taken in over 20 billion in revenues just from Iraq related contracts.)

    That’s the trouble with you kids; you assume these startups are all about “community” and “fun” and “sharing” when in fact a lot of it is about cold, greedy, cash, at any cost.

    (Heh heh heh. I love these rants…)

  6. VB; word!

    And AJ, you’re right that it’s easy to avoid most of this crap by just using FB’s core functionality. That’s what I do (and even then, just barely).

    The main problem is the naive users, the people who fall into Facebook like it’s the second coming or something. Fortunately, we’re not all that stupid, but I’m quite convinced that as FB evolves, it is evolving with that kind of behaviour and user in mind.

    And hence my rants. Somebody’s got to look after the naive people. How ironic that the people who are most into defending FB are the ones most likely to toss out the old “it’s people’s own responsibility to know what they’re doing” chestnut. What the heck kind of “community” and “sharing” is that?

    Forget that. Here’s some “sharing” for you: read my Facebook rants and ask yourself if you’ve been suckered. If so, take appropriate action.

    There. THAT’s sharing. THAT’s looking after your community.

  7. You’ve taken it upon yourself to look after the naive people? That’s mighty white of you.

  8. No, I just never took the “mighty white” as being questionable language. You see, that’s what happens when folks like blork don’t look out for me. :)

  9. I have suspected pernicious Facebook apps from the start; nevertheless, I continue to play Scrabulous (not Scrabulicious) because I am hooked. I ignore most other apps. I do plan to copy and paste this post, because it is useful for those members of my family who add every app that comes along.

    Oh and by the way, I nominated you in the Bloggies for Best Food Blog. You’re welcome.

  10. I’m afraid that Facebook is a cult. I was doing fine with just my trusty old email account. Now , because I joined, I cannot get people to email me properly. And some of those people claim I am being paranoid, until a story like this one pops up.

    When the ‘drink the kool-aid’ application starts showing up, I urge everyone to quickly unplug from the internet and head on back to the old faithful tv.

  11. Thanks, Lattegirl! Except that I don’t blog about food so much these days, but what the heck, I’ll take any nod thrown my way. :-)

    Pamplemousse, I’m waiting for that application too. Any day now. Hee hee!

  12. I just had an attack by My Luv Crush, and being new to FB as well as this whole conversation, didn’t know if it was legit attempt to be contacted by anonymous FB friend, or scam to get to my pockets. I’m old in years, and new in web based profiling, compared to most users. So, is MLC and Secret Crush the same? equally fraudulent? I ended up calling an 800 # that came up on my phone, where they sent a pin after I put in my cell # – which told me there would be no charges and I would have no more to do with that service. What gives???

  13. You think that’s bad?

    Were you aware that once you create a profile on FB, you wil never be able to delete it. You can “disable” it, but they will hold your personal data for ever …

    recent posting that made it to digg:

    http://duggmirror.com/security/2504_Steps_to_Closing_Your_Facebook_Account_2/

    people who post personal information online, anywhere are just silly …

    … and they have no excuse when that information gets compromised

Comments are closed.