Story image

Cybercriminals use verified API token to generate Facebook spam comments

28 Apr 2017

Security and compliance company Proofpoint has discovered the API access token for a legitimate, verified Facebook app being used to generate comment spam on Facebook pages.

In exchange for more ‘likes’ and comments on their own timelines, users are enticed to provide the app’s access token to a third-party website, the controllers of which leverage the provided access to form a large social spam botnet.

“Social media provides a unique opportunity to directly reach large audiences,” Proofpoint digital risk vice president Dan Nadir says.

“If cybercriminals put a malicious link on a popular social media page, the attacker’s ability to reach a larger audience grows exponentially.” 

In this scheme, attackers exploit an earlier version of the Facebook API and a legitimate but outdated version of a third-party app.

Proofpoint observed an example of this activity in the social media presence of a Proofpoint customer, a major media outlet, which was the target of large spam attacks posting continuously on its Facebook page.

The media company’s Facebook page was hit with tens of thousands of comments from just the botnet masquerading as the HTC Sense Facebook app; well over half of the messages on their page have been spam.

Spam postings were able to continue for roughly eight hours before Facebook removed the account’s access.

A number of spam comments on the Facebook page in question made reference to various domains that all contained instructions on how to install the Facebook bot on individual accounts using the HTC Sense Facebook app.

“Developers often maintain legacy versions of apps to support older operating systems and hardware, opening the door to the kinds of threat we saw here, even when the apps don’t have a vulnerability to exploit that could give someone elevated access,” says Nadir.

“It raises important questions about obsolescence, upgrades, and versioning that all developers and organizations need to consider,” he adds.

Samsung & Trade Me offer AI-powered shopping
The smartphone camera & AI-powered tech, Trade Me says, is a ‘glimpse into the future of shopping’.
Neill Blomkamp's 'Conviction' is a prequel to BioWare's Anthem
You may remember Neill Blomkamp’s name from such films as District 9, Chappie, and Elysium. If you’ve seen any of those films, the short teaser trailer will seem somewhat familiar to you.
Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
617 million stolen records up for sale on dark web
It may not be the first time the databases have been offered for sale.
IBM’s Project Debater unable to out-debate human
At this incredible display of technology, the result was remarkably close but the human managed to pip the machine in this instance.
LPL to broadcast weekly programming on Sky Sports
Let’s Play Live (LPL) has now announced it will broadcast weekly programming for the rest of 2019 on the Sky Sports channel from Sky TV. 
When hackers get the munchies, they just steal McDonalds
What happens when hackers get the munchies? Apparently in Canada, they decide to put their ‘hamburglar’ gloves on and go after unwitting people who happen to use the McDonalds app.
The smart home tech that will be huge in 2019
For millennial home buyers, a generation for whom technology has been ever-present, smart systems are the features they value above everything else.