Security and compliance company Proofpoint has discovered the API access token for a legitimate, verified Facebook app being used to generate comment spam on Facebook pages.
In exchange for more ‘likes’ and comments on their own timelines, users are enticed to provide the app’s access token to a third-party website, the controllers of which leverage the provided access to form a large social spam botnet.
“Social media provides a unique opportunity to directly reach large audiences,” Proofpoint digital risk vice president Dan Nadir says.
“If cybercriminals put a malicious link on a popular social media page, the attacker’s ability to reach a larger audience grows exponentially.”
In this scheme, attackers exploit an earlier version of the Facebook API and a legitimate but outdated version of a third-party app.
Proofpoint observed an example of this activity in the social media presence of a Proofpoint customer, a major media outlet, which was the target of large spam attacks posting continuously on its Facebook page.
The media company’s Facebook page was hit with tens of thousands of comments from just the botnet masquerading as the HTC Sense Facebook app; well over half of the messages on their page have been spam.
Spam postings were able to continue for roughly eight hours before Facebook removed the account’s access.
A number of spam comments on the Facebook page in question made reference to various domains that all contained instructions on how to install the Facebook bot on individual accounts using the HTC Sense Facebook app.
“Developers often maintain legacy versions of apps to support older operating systems and hardware, opening the door to the kinds of threat we saw here, even when the apps don’t have a vulnerability to exploit that could give someone elevated access,” says Nadir.
“It raises important questions about obsolescence, upgrades, and versioning that all developers and organizations need to consider,” he adds.