Story image

Cybercriminals use verified API token to generate Facebook spam comments

28 Apr 17

Security and compliance company Proofpoint has discovered the API access token for a legitimate, verified Facebook app being used to generate comment spam on Facebook pages.

In exchange for more ‘likes’ and comments on their own timelines, users are enticed to provide the app’s access token to a third-party website, the controllers of which leverage the provided access to form a large social spam botnet.

“Social media provides a unique opportunity to directly reach large audiences,” Proofpoint digital risk vice president Dan Nadir says.

“If cybercriminals put a malicious link on a popular social media page, the attacker’s ability to reach a larger audience grows exponentially.” 

In this scheme, attackers exploit an earlier version of the Facebook API and a legitimate but outdated version of a third-party app.

Proofpoint observed an example of this activity in the social media presence of a Proofpoint customer, a major media outlet, which was the target of large spam attacks posting continuously on its Facebook page.

The media company’s Facebook page was hit with tens of thousands of comments from just the botnet masquerading as the HTC Sense Facebook app; well over half of the messages on their page have been spam.

Spam postings were able to continue for roughly eight hours before Facebook removed the account’s access.

A number of spam comments on the Facebook page in question made reference to various domains that all contained instructions on how to install the Facebook bot on individual accounts using the HTC Sense Facebook app.

“Developers often maintain legacy versions of apps to support older operating systems and hardware, opening the door to the kinds of threat we saw here, even when the apps don’t have a vulnerability to exploit that could give someone elevated access,” says Nadir.

“It raises important questions about obsolescence, upgrades, and versioning that all developers and organizations need to consider,” he adds.

49 inches: Samsung's latest gaming monitor steps up to Dual QHD
Samsung’s gaming monitors will have a few extra inches around the waist this year.
Jobs 'aplenty' for freelance writers, devs & ecommerce specialists?
Jobs tagged with the keyword ‘writing’ took the top spot as the fastest moving job in 2018.
Updated: Chch crypto-exchange Cryptopia suffers breach
Cryptopia has reportedly experienced a security breach that has taken the entire platform offline – and resulted in ‘significant losses’.
iPhone XS Max costs average Kiwi 11.6 work days – world comparison
A new study has compared how long it will take the average worker in 42 countries to purchase Apple's newest iPhone - NZ doesn't do too bad.
Chorus reckons Kiwis have an insatiable appetite for data
New Zealanders love the internet – and we love Fortnite even more.
Hands-on review: XANOVA Juturna-U gaming headset
Despite my first impressions on the quality of the headset, I was disappointed with both of the auxiliary cables provided, which felt cheap and would cut out, almost as if they were already frayed.
Audioengine’s Wireless A5+ are just bloody good speakers
I judge these speakers on the aspects that Audioengine boasts about - quality, streaming, simplicity and versatility
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.