According to researchers with Websense's Security Labs operation, the DIY toolkit offers a template for spreading malware, directing users to click-fraud accounts and pushing Facebook users to bogus surveys designed to hijack personal information.
The IT security vendor claims that, over the last weekend, a viral rogue app campaign – Facebook Creeps – hit Facebook and, like many other rogue applications before it, promises to do what Facebook normally doesn't allow any app to do, namely allow users to know who is looking at their profile.
But, say researchers in the latest Websense security blog, users are still being tricked into installing apps that promise to do just this.
"And just like most others, the latest one leads to a survey that in the end generates money for the people behind the app", says Websense.
But here's where it gets interesting, as researchers claim that it is possible do a lot of nasty things on Facebook, if you develop your own apps, which then go off and subvert the Facebook system – provided users click and agree to let the app do what cybercriminals are after.
Perhaps worse, Websense Security Labs claims that buyers of the $25 toolkit don't actually have to have any development experience with Facebook – just that they only have to follow the accompanying instructions and a working viral Facebook application can be at their disposal.
In a rogue Facebook app cited by researchers, the app routes users over to a web survey that generates anywhere between 20 cents and $2.00 for the referrer.
"This phenomenon of template Facebook applications like the Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam", says Websense.
Commenting on the arrival of a low-cost malware toolkit for Facebook, Paul Vlissidis, technical director at NGS Secure, part of NCC Group, said that everyone is clearly embracing the digital world and are keen to try out the new developments that are appearing on a daily basis.
“Having said this, the ‘download now, ask questions later’ culture is very risky. Applications are easy to access, commonly go viral and a large proportion of them are free of charge – making them even more appealing”, he said.
“Most large companies have the requisite security policies and software in place to not only protect mobile devices but also educate their employees. Only now are they realising how sophisticated hackers are and as result, beginning to consider the vulnerability of apps”, he added.