Rogue Facebook Application Toolkits Sell for Cheap

Websense uncovered a toolkit for building rogue Facebook applications selling for $25.

Do-it-yourself toolkits for attackers are a common item on the shelves of the underground cyber-marketplace, and ones targeting Facebook users have no shortage of customers.

One such kit is "Tinie App," which researchers at Websense said they discovered being sold on various sites for $25. Tinie App is a Facebook application template behind the most recent iteration of an old scam promising an application that can track the users who visit a person's profile.

"The person who develops, maintains and supports the kit calls himself 'TinieTempah,' like the British rapper," said Patrik Runald, senior manager of security research at Websense. "He sells it directly, but we've also found other people on different forums advertising the kit."

During the past weekend, Tinie App was used to create an application that promises to allow users to see who is checking out their profile-an ability Facebook actually makes impossible for any app to do. Dubbed "Facebook Profile Creeper Tracker Pro," the application asks the user to grant it access, then shows an online survey/advertisement and tells the user he or she is the one that looks at their account the most.

"[Attackers] typically either lead the people to a survey and get paid per completed survey, or they trick users into installing malware/adware with social engineering," Runald explained. "Tinie App is primarily used together with surveys [and] can be used to create any type of app. All the user of the kit has to do is to create the first landing page and the 'after permissions have been allowed' page. Everything else is handled by the kit, including statistics of how many posts have been made, how many users installed it, etc."

According to Symantec, Tinie App is just the tip of the iceberg. There are other rogue app development kits out there as well, such as NeoApp, which has been seen selling for $50.

"These toolkits and scripts are exchanged in underground forums," said Vikram Thakur, principal security response manager at Symantec. "Freshly generated accounts are traded and tips are posted on how to lead users into clicking ads or filling out commissioned surveys. None of this is really all that new, and these types of things have been around for a while now. What's new is the fact that these toolkits are getting more sophisticated and easier to use."

In the case of Tinie App, the maker describes the toolkit as a "viral Facebook application script" that works in conjunction with CPALead surveys. According to Websense, CPALead is a program any Web content publisher can join that allows them to install a survey on their site in order to make money. The cut with these programs is around 20 cents to $2, but could be more or less.

In the final analysis, social networks offer both a wealth of targets and user information, making sites like Facebook an attractive place for attackers to strike, Thakur said.

"Wherever there is honey, there will be bees. ... Threats like Jnanabot and Koobface along with a few others have shown us that a successful malware campaign on social networks is not just theoretical, but extremely practical and lucrative," he said.