Facebook users, take heed: Some secrets are best left undisclosed, no matter how juicy and intriguing. Those who have encountered the application within Facebook called “Secret Crush” are bound to get a surprise because the said app actually loads adware/spyware that can spread in their friendly virtual neighborhood. With close to 60 million users and still growing, the popular social networking site is once again the target of a malicious attack.
Secret Crush was quickly branded a malicious widget by the security researchers who discovered it, seeing as how it poses as a legitimate application that promises to reveal someone’s admirer(s). In reality, it loads an adware/spyware associated with Zango, which historically has been linked to adware and spyware designed to gain access to certain games, DRM-protected videos, and software. In 2006, the FBI gave it a fine of US$3 million for allowing third parties to secretly install its adware.
Secret Crush also tricks affected users into forwarding the application to their friends in Facebook, increasing the chances of the program being passed around. The best thing that can only happen when it is installed is that users come to realize that no list of their admirers will actually be revealed. But by then they would have already forwarded it to friends, who would have forwarded it to other friends, and so on. According to this post in Wired.com‘s Threat Level blog, around 4% of total Facebook users have already added it, bringing the number of affected users to about a million.
Facebook’s popularity is increasingly drawing the attention of malicious users who wish to leverage on the traffic generated through its millions of users. In one case, a certain porn company allegedly used automated scripts to mine data from more than 200,000 separate proprietary Facebook Web pages, as detailed in a December 2007 PCPro news report.
Secret Crush may be just one of the early threats to test Facebook friendships. Those with Facebook accounts better pause before choosing to add it to their profiles and enjoining their contacts do the same, otherwise it can spoil the fun of social networking.