All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)
The first one we noticed was CityFireDepartment, which seems to be a sort of online game that allows a player to become a fireman. (Please DO NOT GO to this application until it is cleaned up).
This is how it’s supposed to look… (Click image to enlarge)
But what you see instead is something like this (especially if you are not patched)…
If you’re not patched, the next thing you see is this… (note the “Your computer is infected” warning in the bottom right corner of the screen):
And if you have a nifty change notification tool, like WRremote, you’ll see that you are already nailed, with sys files already having been installed.
At first, we thought this was a deliberate hack attempt by the developers, but when we looked at the source code for the web pages, we found this iframe injected into the source…
Interestingly, this line changes at least once a day, and calls to a different exploit site, so the Bad Guys are still exploiting the hole, whatever it is. And also interestingly, some of their users are also telling them they have a problem. Here are some of the comments…
Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the DataSnatchers are using to hack the applications.
The other applications where we have detected the hack include (we don’t include direct links to them in order to save you):
There could easily be lots more, but that’s what we’ve noticed with this particular hack.
It’s a tricky world out there folks, keep safe.