Most pieces of Facebook malware are mere annoyances — survey scams that generate pennies at a time for the operators, or "like"-jacks that promote dubious products.
However, two new bugs may be harbingers of more serious malware to come.
The more immediately dangerous of the two uses a classic phishing email to direct users to rigged Facebook pages that harbor the SpyEye banking Trojan, a long-lived and very effective information stealer that infects Web browsers to hijack online banking sessions.
The other is a sophisticated clickjacker called LilyJade, which is spreading through Facebook as a worm and substitutes its own online ads in the place of legitimate ads on Facebook, Yahoo, YouTube, Google and other popular sites in order to generate cash for small-time cybercrooks.
The Flashback malware that infected 600,000 Macs in March made money through clickjacking, and a different piece of malware discovered last week that places ads on Wikipedia pages seems to operate the same way.
Working hard for your money
The SpyEye phishing email, forwarded to Sophos' Naked Security blog by a reader, pretends to be an official notification from Facebook telling the recipient that "we have received an account cancellation request from you." The email then asks the recipient to "follow the link below to confirm or cancel this request."
The link does go to a Facebook.com page, but not an official one. Instead, the visitor is asked to install an unknown Java-based application, and not given an option to decline.
Once the applet is installed, the user is then asked to "update" the Adobe Flash Player — which, in this case, is really a variant of the SpyEye banking Trojan.
Good anti-virus software will block the installation of SpyEye, as will common sense that tells users not to allow installation of unwanted applications.
Today clickjacking, tomorrow who knows?
LilyJade uses similar social-engineering tactics, claiming to be news about Justin Bieber being in a car crash. Once a user clicks the link, it uses a drive-by download to infect browsers.
At the moment, LilyJade is harmless to infected computers. But it's installed using a cybercriminal exploit kit and is written in a new programming framework called Crossrider that works equally well in Google Chrome, Microsoft Internet Explorer and Mozilla Firefox.
LilyJade's rapid spread and ease of infection won't go unnoticed for long by other malware creators.
"It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines," wrote Kaspersky Lab security expert Sergey Golovanov in an English-language blog post today (May 21.) (The Russian-language version was posted May 5.)
What's unusual about LilyJade, according to independent security researcher Brian Krebs, is that its creator, an Arizona hacker named Dru Mundorff, is openly selling it for $1,000 a copy on hacking forums, using his real name.
On the hacking forum, Mundorff claimed that LilyJade is invisible to anti-virus software, since in some cases it's just two lines of code pointing to an external site.
Facebook told Krebs it had already sent Mundorff a cease-and-desist letter, which Mundorff ignored.
Mundorff told Krebs that LilyJade is in fact perfectly legal, thanks to a creative end-user license agreement.
"We're not forcing any users to be bypassed, exploited or anything like that," Mundorff told Krebs. "At that point, if they do agree, it will allow us to make posts on their wall through our system."