14 DAY TRIAL // A group of researchers from the Foundation for Research & Technology Hellas, the Institute of Computer Science Greece, has demonstrated the threats that can be employed via Facebook applications. The scientists created a simple application, called “Picture of the Day,” which promised to display one impressive National Geographic picture a day.
The scientists managed to prove what they had been suspecting from the beginning – that people are enthusiastic about any new gadget, allowing themselves to be blinded by it, and forgetting about taking at least minimal protection measures against threats. The same also happened to the subjects of this particular experiment – who didn't know that they were in fact tracked. Whenever someone clicked on the image, their computer became a bot in a network created by the researchers.
“We have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host. More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 Kbytes, but the user is not aware of that fact (the images are never displayed).” the team explained in a report recently issued.
Although the Greek researchers did not advertise in any way the app they had created, rumors about “Picture of the Day” made the rounds among their colleagues, and then spread unexpectedly fast. In the first few days of the experiment, the machines of approximately 1,000 unwary people from all over the world became bots.
“We have shown that applications that live inside a social network can easily and very quickly attract a large user-base (in the order of millions of users) that can be redirected to attack a victim host. We experimentally determined the user-base to be highly distributed, and of a world-wide scale. Finally, we have shown that the victim of a FaceBot attack may be subject to an attack that will cause it to serve data of the magnitude of GigaBytes per day.” the researchers said, underscoring that their attack had been virtually harmless, which is certainly not the case with a real botnet offensive.