An adware-distribution scheme targeting Facebook is considered to be the first attack propagated on the wildly popular social-networking site.
Researchers at security gateway vendor Fortinet have uncovered the hack, disguised as a legitimate "Secret Crush" request on the site designed to inform Facebook users about other members who find them attractive. The application instead attempts to secretly install an adware program made by Zango after it has been successfully downloaded.
The Secret Crush program also tries to lure people who download the file to pass it along to other Facebook members they know, according to Fortinet's research.
The security vendor contends that as many as 3% of Facebook's almost 60 million registered users have already downloaded the adware-bearing program.
And while it appears that the attack has been unearthed by Facebook users themselves as worthless – as the program does not actually deliver the social networking function it originally promises and has been highlighted as such on the site by people who have already downloaded it – Fortinet experts said that the threat should be viewed by users of the portal, and its operators, as a sign of more dangerous attacks that will come.
Facebook officials did not immediately respond to calls seeking comment on the Secret Crush adware threat.
Dubbed specifically as a "malicious widget" by the security researchers, the attack illustrates the growing capability of badware distributors to tap into the trusted relationships fostered among users of social-networking sites to pass out their latest threats.
MySpace, an even larger social-networking site with an estimated 250 million users, has been subverted on multiple occasions by malware attackers during the last year.
"The main thing people haven't realised is that in the current threat landscape, where all the threats are monetised, traffic equals money in the eyes of the attackers, and you can find more traffic than ever at these social-networking sites," said Guillaume Lovet, a regional manager of Fortinet's Threat Response Team.
Lovet said that because Facebook and MySpace users tend to trust content coming from members they are already familiar with, the social-networking sites, when compromised, represent an ideal opportunity for malware distributors seeking a new environment to carry out their scams.
"At its core, Facebook is an incredible online-marketing tool, people are on there openly providing their names, birthdays and a wealth of other information about their religious and political views, or their favourite books and movies," Lovet said.
"If attackers have access to all that data, they can use it to craft attacks and use popular demographics they discover to create additional threats that tap into any of those themes."
For instance, if attackers are able to mine Facebook profile data to deduce that a large number of people within a certain age group have recently seen a particular movie, they might attempt to create a threat that poses as content related to the film and send it out to everyone who fits in that demographic, Lovet said.
The inherent power of social-networking sites and their ability to allow individuals to find each other and communicate directly will help attackers use people, rather than technology, to spread their latest work in the future, according to the researcher.