Facebook Token Hijacker Malware Could Post On Your Wall, Create Events Inviting Your Friends
Details of the malware were posted online by Mohammand Faghani, a security researcher and former Carleton University student. Though the malware is sophisticated in technique, it still requires user interaction to spread. It does that by posting a special offer of free UGG boots, whereby the user is asked to post his/her access token after logging into the application. The malware then hijacks the user's token and immediately begins posting on the victim's wall. It also attempts to create an event inviting all of the victim's friends.
This is a little different from a conventional phishing attack, in which a victim's login credentials are saved for future use. The challenge there is bypassing the Identity and Access Management Controls when signing in from an new location. This bit of malware, however, hijacks the actual access token and gets to work straight away.
As always, if an offer seems too good to be true, it probably is.