A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday.
On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages.
"It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself."
The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware.
According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."
But other security firms also noted the attack. Both U.K.-based Sophos and U.S. security company Websense dubbed the attack "Sexiest video ever," based on the message that appeared on Facebook users' walls, seemingly from their Facebook friends.
Clicking on the link lead users to a Facebook application installation screen, where users were asked to allow the software to access their profiles and walls. Once approved, the application claimed that users had to download an updated version of FLV Player, a popular free Windows video player.
The download was nothing of the sort, but instead the notorious Hotbar adware , a toolbar that inserts itself into Internet Explorer, then starts displaying pop-up ads and links.
The attack spread as the malicious Facebook app posted the same "Sexiest video ever" message on the walls of victims' friends.
According to Thompson, the massive attack demonstrates the power of large social networking sites.
"Facebook is very responsive to threats when we identify them, and removing these applications as soon as they find them, but they're still able to generate huge traffic, just because of the viral nature of social networks," he said in a statement earlier Monday. "It is staggering how many threats were propagated before they were stopped."
Criminals have recognized the value of abusing Facebook to spread adware, launch identity theft attacks or plant malware on users' PCs. Kaspersky Lab, for example, recently estimated that almost 6% of all identity theft attacks originated from Facebook in the first three months of the year, putting the site in fourth place behind PayPal, eBay and the London-based bank, HSBC.
"This was the first time since we started monitoring that attacks on a social networking site have been so prolific," Kaspersky's report said.
Websense offers a free tool called Defensio that, among other things, protects Facebook pages against spam, unwanted URLs and malicious content.