Story image

Cybercriminals use verified API token to generate Facebook spam comments

28 Apr 17

Security and compliance company Proofpoint has discovered the API access token for a legitimate, verified Facebook app being used to generate comment spam on Facebook pages.

In exchange for more ‘likes’ and comments on their own timelines, users are enticed to provide the app’s access token to a third-party website, the controllers of which leverage the provided access to form a large social spam botnet.

“Social media provides a unique opportunity to directly reach large audiences,” Proofpoint digital risk vice president Dan Nadir says.

“If cybercriminals put a malicious link on a popular social media page, the attacker’s ability to reach a larger audience grows exponentially.” 

In this scheme, attackers exploit an earlier version of the Facebook API and a legitimate but outdated version of a third-party app.

Proofpoint observed an example of this activity in the social media presence of a Proofpoint customer, a major media outlet, which was the target of large spam attacks posting continuously on its Facebook page.

The media company’s Facebook page was hit with tens of thousands of comments from just the botnet masquerading as the HTC Sense Facebook app; well over half of the messages on their page have been spam.

Spam postings were able to continue for roughly eight hours before Facebook removed the account’s access.

A number of spam comments on the Facebook page in question made reference to various domains that all contained instructions on how to install the Facebook bot on individual accounts using the HTC Sense Facebook app.

“Developers often maintain legacy versions of apps to support older operating systems and hardware, opening the door to the kinds of threat we saw here, even when the apps don’t have a vulnerability to exploit that could give someone elevated access,” says Nadir.

“It raises important questions about obsolescence, upgrades, and versioning that all developers and organizations need to consider,” he adds.

Royole's FlexPai: So bendable phablets are a reality now
A US-based firm called Royole is delivering on that age-old problem of not being able to fold up your devices (who hasn't ever wished they could fold their phone up...)
Hands-on review: Having fun in Knowledge is Power: Decades and Chimparty
They don’t revolutionise social video gaming, but they are enjoyable enough to occupy you during a wet weekend. 
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
Tile's Mate & Pro Bluetooth trackers land in NZ
If your car keys (or your tablet) have disappeared into the void at the back of the couch or if you left them somewhere in your car, retracing your steps to find them could be a thing of the past.
Government still stuck in the past? Not on GovTech's watch
What exactly is GovTech and what’s been happening in our capital city?
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.
Hands-on review: The iPhone Xs
The iPhone Xs is a win that brought numerous new and exciting features to the market.
How much does your Amazon Prime Video subscription really get you?
For our NZ$8.90 per month, the average cost per title is US$0.00126 - but we only really get a choice of 416 TV shows and 4321 movies. Choice is a little bit limited compared to other countries.