Users on Saturday began receiving messages, which came from a friend whose account had been infected. The messages read, “[T]his is without doubt the sexiest video ever! :P :P :P" and were accompanied by a link to a fake video titled "Candid Camera Prank [HQ]."
Clicking on the supposed video brought users to a Facebook application, which subsequently prompted them to download an updated media player to view the video, Patrik Runald, senior manager of security research at web security firm Websense, told SCMagazineUS.com on Monday. The download actually was a payload for an adware program called Hotbar, which displays advertisements in a user's browser based on web browsing habits.
If installed, the application also spammed out the same erotic message to all of the victim's friends.
“The malicious app itself started posting messages to friends' walls as soon as you allowed the app access to your profile," Runald said.
Tens of thousands of Facebook users may have fallen for the ruse, Runald said.
Facebook promptly disabled the application and since has been deleting all posts related to the scam, a spokesman told SCMagazineUS.com in an email Monday.
“We have an enforcement team that takes action against applications that violate our policies when they're reported to us or surfaced by our systems,” the Facebook spokesman said. “We're advising people not to click on strange links, even when posted by friends, and to be cautious when using applications.”
The adware campaign was unleashed just days after the social networking site announced a new security feature designed to notify users when their account is accessed from an unapproved device.
"It alerts you whenever someone logs into your account from an unknown computer, which is really good,“ Runald said. "It's a great feature and we recommend everyone activate it."
In addition, if Facebook detects an attempted login from an unusual device, the site will prompt the user to answer additional security questions.
"I think these are great steps, and I am glad to see Facebook stepping it up in regards to securing account access," Dave Marcus, security research and communications manager at McAfee Avert Labs, said in a blog post on Thursday. "When you consider the high prevalence of password-stealing trojans and Koobface...these measures are certainly a move in the right direction."
However, the new features would not have been able to stop the adware campaign this weekend, which propagated after users were tricked into approving the malicious application, Runald said.
“This was strictly social engineering by tricking you into believing that you received this video,” he said.