Websense uncovered a toolkit for building rogue Facebook applications selling for $25.
for attackers are a common item on the shelves of the underground
cyber-marketplace, and ones targeting Facebook users have no shortage of
One such kit
is "Tinie App,"
which researchers at Websense said they
discovered being sold on various sites for $25. Tinie App is a
Facebook application template behind the most recent iteration of an
old scam promising an application that can track the users who visit a person's
"The person who develops, maintains and supports the kit calls
himself 'TinieTempah,' like the British rapper," said Patrik Runald,
senior manager of security research at Websense. "He sells it
directly, but we've also found other people on different forums advertising the
the past weekend
, Tinie App was used to create an
application that promises to allow users to see who is
checking out their profile-an ability Facebook actually makes
impossible for any app to do. Dubbed "Facebook Profile Creeper Tracker Pro,"
the application asks the user to grant it access, then shows an online
survey/advertisement and tells the user he or she is the one that looks at
their account the most.
"[Attackers] typically either lead the people to a survey and get paid
per completed survey, or they trick users
into installing malware/adware
with social engineering," Runald
explained. "Tinie App is primarily used together with surveys [and] can be
used to create any type of app. All the user of the kit has to do is to create
the first landing page and the 'after permissions have been allowed' page.
Everything else is handled by the kit, including statistics of how many posts
have been made, how many users installed it, etc."
According to Symantec, Tinie App is just the tip of the iceberg. There are
other rogue app development kits out there as well, such as NeoApp, which
has been seen selling for $50.
"These toolkits and scripts are exchanged in underground forums,"
said Vikram Thakur, principal security response manager at Symantec. "Freshly
generated accounts are traded and tips are posted on how
to lead users into clicking ads
or filling out commissioned surveys. None
of this is really all that new, and these types of things have been around for
a while now. What's new is the fact that these toolkits are getting more
sophisticated and easier to use."
In the case of Tinie App, the maker describes the toolkit as a "viral
Facebook application script" that works in conjunction with CPALead
surveys. According to Websense, CPALead is a program any Web content publisher
can join that allows them to install a survey on their site in order to make
money. The cut with these programs is around 20 cents to $2, but could be more or
In the final analysis, social networks offer both a wealth of targets
and user information, making sites like Facebook an attractive place
for attackers to strike, Thakur said.
"Wherever there is honey, there will be bees. ... Threats like Jnanabot
and Koobface along with a few others have shown us that a successful malware
campaign on social networks is not just theoretical, but extremely practical
and lucrative," he said.