Angry in the Great White North

I got this weird email from Jason Cherniak via Facebook:

Subject: People, check this out!

You guys gotta to check this out, this nifty little website tells you exactly your secret crush: http://find-true-love.info

Input your info like I did, you will be VERY surprised with the results!

Peace!

I was very surprised that Jason Cherniak is spamming people.

If you follow the link, you move through three websites in rapid succession:

http://www.incentaclick.com/nclick.php?id=14621&cid=++++

http://mobileentertainment.directtrack.com/sw/15/++++/

http://my1love.ca/DT/?web_id=++++++

I've blanked out the id strings that links the site to an affiliate.  The final site in the group offers to tell you the name of your secret crush.  All they need is your cell phone number.  Right.  At the bottom of the page is the low-contrast text required by law.  The message in micro-point font explains that you'll be charged $1.25 every day for a horoscope sent right to your phone:

For customer care, please email cahelp@sms-help.com. By calculating your perfect match and by entering your personal PIN Code which will be sent to the cell phone number supplied by you on this website, you acknowledge that you are subscribing to daily horoscope service.The Daily Horoscope offer is only for compatible handsets on Fido Solutions, TELUS Mobility, Rogers Wireless, SaskTel Mobility, Aliant Mobility / Bell Mobility, NorthernTel Mobility, MTS Mobility, Virgin Mobile Canada and Telebec Mobilite. Customers will receive the daily horoscopes at $1.25 each weekday. All plans are subject to the Terms and Conditions. You may stop this subscription service at any time by sending a text message with STOP or ARRET, to short code 21864. Your phone must have text messaging capability. You must be the owner of this device and either be at least sixteen years old or have the permission of your parent or guardian. Standard text messaging rates may apply. For information text "HELP" or "AIDE" to 21864 or call 1-888-846-6939 . Please click here to see full Terms and Conditions.

The first two links are associated with affiliate sites.  If I was to sign up to the love site, the person who got me to sign up would get a cut of cash (that's what the id string is for).

Needless to say, that person is not Jason Cherniak.  Jason is not a spammer.

Jason even sent out messages to that effect:

Jason is warning you to not follow the link. He didn't send it. 6:15pm

Jason is warning you to not watch the video. He didn't send it. 6:01pm

Jason did not spam you on purpose. Please disregard and forgive him. 5:56pm

Poor guy.  Getting all this heat and not even enjoying the money from those poor fools who provided their cell phone numbers.

So how is that Jason's Facebook account is the source of the spam email?  It would appear that Jason has installed a malicious Facebook application.  I don't know which one, but here is a report explaining how it has been done in the past:

Facebook has banned the Secret Crush application due to its affiliation with a notorious spyware manufacturer.

The social networking site confirmed the breakup on Monday: "Facebook is committed to user safety and security and, to that end, its Terms of Service for developers explicitly state that applications should not use adware and spyware," a statement from the company read. "We have contacted the developers and have disabled the Secret Crush application for violating Facebook Platform Terms of Service."

Lonely Facebook users eager to find which of their friends had the hots for them were served up with spyware instead. Invitations luring members with the message "One of your friends might have a crush on you!" actually came from Zango, a company whose name has become almost synonymous with adware.

Upon installing the application, users were informed that they needed to "invite" at least five more friends to Secret Crush before going on, and then were invited to download a "Crush Calculator" application that contained Zango software.

Duped Facebook members never did get to learn out which people on their friends list had crushes on them.

Zango has publicly denied involvement with Secret Crush, publishing a blog post dismissing Fortinet's claims and saying that Secret Crush had not disappeared--it had just changed its name to My Admirer.

My wife has all sorts of the third-party games on her account.  Scrabble games and the like.  Almost certainly harmless, but then who knows?

These Facebook applications are "social worms", which is a new concept for me:

Further, this is a risk one may consider reasonable to take to in order to find out who has a crush on him/her. Intriguing user curiosity is exactly what the social engineering leverages. Unfortunately, as displayed in Figure 4, once the terms are accepted the time for the revelation has not yet come: "Before you can find out who might have a crush on you, you need to invite at least 5 friends!".

This practically makes the widget a Social Worm. Unlike many social worms, the "Secret Crush" propagation strategy does not rely on phishing or any sort of user-space customization feature abuse.  Rather, it relies on pure social engineering which is based on simple manipulation strategies such as "escalation of commitment". Since users have freely chosen to install the widget at the cost of disclosing their personal information, psychologically speaking it is difficult for them to stop the process at that point. Therefore, most of them will invite at least 5 friends to complete the process.

Clever.  I suppose once these malicious apps are on your Facebook account, they can spawn subsequent Facebook emails, like the one I received from Jason:

According to the statement published on March 31, 2008 by SCmagazine, an Internet security vendor Fortinet warned that in the last week of March, a spam campaign obtained access to the user accounts of Facebook and send messages on the Wall feature of user profiles, continuing the security threats.

Fortinet researchers said that Facebook is looking into this problem. Mostly the spam messages are linked to typical spam sites like online pharmacy shops. This site provides content for many pill pushing sites and they are also sourced to a Web host. The Wall feature of Facebook is used by its users to send comments on profile of their friends.

According to Fortinet, the hijacked user accounts were used for posting innocuous spam 2.0 and not for any other purpose. It also warned that this hijacking can be used to link some drive-by-install harmful sites.

Jesse Stay, the co-author of the book 'Facebok- Now What???', revealed that there is a possibility that this incident is linked to Secret Crush, an application on Facebook. He further added that this application was installed to Spyware on users' computers and in January 2008, the company was forced to remove this application but even after two months, it is still creating chaos.

Jesse Stay also said that due to the installation of Zango application on users' account, the retrieved Facebook data is used by hackers for hacking into the accounts, for posting scraps to user's friend's walls, and for scraping the Wall.

Luckily for Jason, this could have been much worse:

Moreover, in the second last week of March 2008, Fortinet researchers found another hacking incident in which Facebook profiles were used to post images of child torture.

I have near bulletproof protection against Facebook spyware.  It comes in two parts.

The first is that I don't install those third party apps.

The second is that I know better than to suspect that Jason Cherniak would ever willingly send people links to a crappy SMS subscription site.