IT security and control firm Sophos has warned users of the
popular Facebook social-networking site to exercise care over which
applications they install following the discovery of a "Secret
Crush" app that downloads adware onto their PC.
Facebook users are sent invitations to add the
Secret Crush application by other users.
The Secret Crush application, which at the time of writing has
over 50,000 daily users on Facebook, invites people to find out who
amongst their friends has a secret crush on them. Users tempted to
discover more have to invite at least five other Facebook users to
install the application before their mystery admirer is
Some 50,000 Facebook users are said to use the
Secret Crush application each day.
However, no secret crush is ever revealed. Instead users are
directed to an external website which invites Facebook users to
download potentially unwanted applications that will display pop-up
"Whoever wrote this Secret Crush application is cashing-in big
time, by encouraging people to download the adware. As an affiliate
for the people displaying the nuisance pop-up adverts, they are
getting paid for each successful installation," said Graham Cluley, senior
technology consultant for Sophos. "Facebook users must show greater
discretion about how they use the site, and which applications they
install. These third party widgets are not written by Facebook, and
can mean that you are carelessly sharing your personal information
with strangers or risking your computer's security."
Sophos experts believe that companies need to set policies
regarding Facebook usage, and implement web security
solutions, to prevent dangers entering the workplace.
"Companies need to make their own mind up as to whether they
want to allow their users to access websites like Facebook and
MySpace during office hours. If workers are allowed to be given
access to these sites then it's vital that they do not put their
personal and corporate data at risk," explained Cluley. "If your
users are installing third party Facebook applications in the
office they could potentially be bringing adware, spyware and
malware into your organization at the same time. The best defense
is for businesses to defend themselves with a web security and
control appliance which can filter internet access and prevent the
downloading of malicious code."
Sophos notes that although Facebook appears to have removed
Secret Crush from its search results, it is still possible at the
time of writing to install the offending application.
"Facebook has thousands of third party applications available on
its site for members to install, and it's obviously proving
impossible for them to police them all," continued Cluley. "The
message from Facebook to its users appears to be 'add third party
applications at your own risk'."
Last year, Sophos published research showing that 41 percent of
Facebook users were prepared to divulge personal information to
a complete stranger (a small plastic frog called Freddi Staur - an
anagram of 'ID Fraudster').
Simply click on the arrow above to stream the
podcast through your browser. Alternatively you can download
it to your MP3 player.
Sophos recommends companies protect themselves with a consolidated solution which can control network access
and defend against the threats of spam, hackers, spyware and
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.