Facebook phishing app plague may be getting out of control
In the Internet equivalent of the old "whack-a-mole" game, Trend Micro researcher Rik Ferguson -- who helped call attention to the Conficker worm early on -- has this week been calling attention to rogue Facebook applications whose main purpose appears to be to collect users' passwords. Using the usual attention-grabbing headings to grab users (repeating the word "sex" is apparently still effective), these apps redirect users to what looks like a legitimate login page, making users believe they need to log into Facebook again.
The innocuous names lead users to think they point to real Facebook functions like "inbox," rather than third-party apps. When a user clicks on one of them thinking he's using a part of Facebook, the malicious app takes the user to a Facebook login screen, while in the meantime collecting the user's password.
Yesterday, Ferguson reported that Facebook removed the first five rogue applications he had discovered, only to have six more turn up in their stead. While all this is going on, over the last month, Facebook has been incrementally adding new accessibility features to its Open Stream API, with the purpose of making it easier for developers to publish information into users' streams, and gain direct access to discussion threads and Facebook e-mails.