18th July 2011
Fake Google+ invites used to harvest Facebook profiles
by David Michmerhuizen – Security Researcher
A common denominator of Facebook scams is that they offer you something you can’t resist. Whether it be free Farmville coins, a ‘Dislike’ button <http://www.barracudalabs.com/wordpress/index.php/2011/05/26/you-will-dislike-the-dislike/>, or just a girl in a short plaid skirt <http://www.barracudalabs.com/wordpress/index.php/2011/05/17/facebook-videos-now-leading-to-fake-youtube-captchas/> , if it’s desirable then you’ll eventually see it offered on Facebook as part of a scam.
And so it is with the latest must-have digital chotchka, an invitation to the new social networking offering from Google, Google+ <http://plus.google.com>. Since Google’s new project is aimed squarely at Facebook you would hardly expect to see such invitations offered on Facebook, but that’s where they’re showing up.
Clicking on one of these news feed items brings up an actual Facebook application page. These app pages are being taken down by Facebook and scammers are creating new ones.
The reason for selecting an application for this scam is that applications can, if allowed, access otherwise private information from your Facebook profile. That’s just what this app does. Clicking on any of these links takes you to a page where the application requests permission to access your Facebook data, and it really does ask for quite a bit. This appears to be the entire point of this scam – email and account data harvesting. The only other thing the application does is to spread to your friends. First you are asked to ‘Like’ the app, which will cause it to appear in your friends’ news feeds.
Then, just in case items from you don’t appear in your friends’ news feeds, there is one more step: you are asked to explicitly send “invites” to your friends.
Instead of actually sending invites, you’re sending Facebook requests that will appear in the notification queue of each friend you select.
Once you are past this point you wind up on the Google+ home page, and when you try to log in – surprise – you haven’t been invited.
As always, we at Barracuda Networks recommend that you approach any wall post that appears in your news feed with great caution. If they seem to be too good to be true, double-check with the person whose name appears on the post.