It used to be that you had mail. Now, on Facebook, you may find that you have a "Secret Crush". The mention started to appear recently on Facebook profile pages and was spotted by UTM vendor Fortinet. To know who actually had a crush on them, users need to install the Secret Crush application, a third-party widget designed for the Facebook application platform.

In a move reminiscent of the best social engineering scams, installing the application is not enough to discover that secret lover. The Crush application first states that it will access the user's personal information and add a host of links and informations to its profile. If granted, it then asks the user to sent five "Secret Crush" himself before his own mysterious admirer is revealed. 

After complying in the hope to finally learn who crushed on them, users will be left with only a web page advertising a "Crush Calculator" application to download. There was no secret lover ever, and the whole scheme was a ploy to bring Facebook users to willingly spread the application and open their personal information to it.  

But there is more : users who actually download the "Crush Calculator" application will find themselves infected by the infamous Zango adware, formerly known as 180Solutions. This will in turn install on the Windows PC, evolving from a purely Web 2.0 social engineering attack to more traditional spyware infection.

The Secret Crush widget author gets paid for each Zango install. According to Fortinet, the widget is already being used by 3% of the Facebook community, which amounts to over one million users. All this took place in a very small timeframe. Of course, it is unknown how many of those users did download the Zango adware upon being tricked at the scam's last stage. But as with any malware scam, strength is in numbers : a few percents of a million users make a decent amount of infections and, in turn, a decent amount of money for the scammer.

 
The Secret Cruch invite on a Facebook profile page. Source : Fortinet.

The ploy is a true Web 2.0 social engineering attack as it relies on the curiosity of users instead of a system vulnerability to spread. Facebook users actually grant it the right to snoop on their personal information, and relies on them to spread over to their friends. 

The tactic is not new, though, as Facebook itself uses a similar trick when a new user signs in. It asks to access his Address Book to automatically send Facebook invitations to the users email contacts. 

Social enginering attacks rely on such voluntary user actions, usually motivated by greed, lust or curiosity. And Web 2.0 attacks are defined by their use of such web application platform and their capability to leverage users relationships to spread. If for anything, this Secret Crush attack is a textbook example of such a  Web 2.0 social attack !