Facebook has become the latest website to be found pushing services that deliver highly deceptive security warnings designed to trick users into buying software.

Purveyors of this scam are making use of Facebook Flyers (http://www.facebook.com/flyers.php), small ads that get posted on Facebook pages associated with a specific region. At 5,000 impressions for just $10, it's a bargain.

We spotted a Flyer targeted at Facebook users in the San Francisco region that purportedly advertised a dating service. When clicked, the ad delivered a warning that our machine could be infected. Those who click through are taken to a site for a product called Malware Alarm which informs their machine is "infected with spyware!" The site then urges the user to download Malware Alarm.

Security vendors say Malware Alarm's free version gives bogus security warnings designed to con end users into buying a premium version of the program. The software has been reported to flag common Windows files and innocuous programs as malware.

Facebook isn't the only site that's been found to push such "crudware," as we've come to call programs such as Malware Alarm. Last week (http://www.theregister.com/2007/07/04/security_blog_pushes_crudware/), a security researcher's blog hosted on Blogspot was found to also found to redirect users to a site associated with Malware Alarm. MSN (http://www.theregister.com/2007/02/21/msn_messenger_scareware/) and MySpace (http://www.theregister.com/2007/01/24/myspace_accusation/) have also been found promoting the programs, which also go by the term scareware.

While there are no reports showing Malware Alarm steals passwords, sends out spam or engages in other malicious activity, the program is considered a pariah in security circles. The ability of its purveyors to infiltrate Facebook's advertising system raises questions about what else may be slipping through the cracks at the social networking site.

We contacted a Facebook representative to see if they were even aware of the problem but didn't get a response. ®

Related stories

Ex-anti-virus chief in spyware scareware scam charges (4 March 2008)
http://www.channelregister.co.uk/2008/03/04/south_korea_scareware_fraud_charges/
Scareware scammers target Mac users (15 January 2008)
http://www.channelregister.co.uk/2008/01/15/mac_scareware_scam/
Facebook CEO capitulates (again) on Beacon (6 December 2007)
http://www.theregister.co.uk/2007/12/06/facebook_capitulation/
Alicia Keys hit by MySpace Trojan hack (9 November 2007)
http://www.channelregister.co.uk/2007/11/09/myspace_trojan_hack/
Grass up romantic sadsacks for only $4.99 a month (25 October 2007)
http://www.theregister.co.uk/2007/10/25/playerblock/
Real Media attacks real people via RealPlayer (23 October 2007)
http://www.channelregister.co.uk/2007/10/23/real_media_serves_malware/
Crudware pusher to pay $25,000 to settle charges (11 October 2007)
http://www.channelregister.co.uk/2007/10/11/crudware_pusher_settles/
Facebook application hawks your personal opinions for cash (12 September 2007)
http://www.channelregister.co.uk/2007/09/12/facebook_compare_people/
Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users (11 September 2007)
http://www.channelregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/
Trade unions demand right to Facebook (30 August 2007)
http://www.theregister.co.uk/2007/08/30/tuc_facebook/
Siphoning MySpace tunes using Safari (25 August 2007)
http://www.theregister.co.uk/2007/08/25/siphoning_myspace_tunes_with_safari/
US pokes intelligence agencies into Web 2.0 overhaul (22 August 2007)
http://www.theregister.co.uk/2007/08/22/spook_myspace_facebook_community/
Student reprimands Facebook for bad manners and exposed code (14 August 2007)
http://www.channelregister.co.uk/2007/08/14/new_facebook_code_leak/
Many Facebook users expose all to strangers (14 August 2007)
http://www.channelregister.co.uk/2007/08/14/facebook_user_survey/
Facebook quells fears over code leak snafu (13 August 2007)
http://www.channelregister.co.uk/2007/08/13/facebook_code_leak/
Vodafone pulls Facebook ads (3 August 2007)
http://www.theregister.co.uk/2007/08/03/vodaphone_facebook_bnp/
Social networks to replace imagination and be woven into clothes (2 August 2007)
http://www.channelregister.co.uk/2007/08/02/ringtones_will_save_social_networking/
Facebook security glitch exposes user in-boxes (31 July 2007)
http://www.channelregister.co.uk/2007/07/31/facebook/
VXers publish blog poisoning tool (30 July 2007)
http://www.channelregister.co.uk/2007/07/30/blog_poisoning_tool/
Judge questions theft claims of Facebook rival (26 July 2007)
http://www.theregister.co.uk/2007/07/26/facebook_misappropriation_hearing/
Facebook in court over IP theft allegations (25 July 2007)
http://www.theregister.co.uk/2007/07/25/facebook_goes_to_court/
Facebook buys Firefox startup (23 July 2007)
http://www.theregister.co.uk/2007/07/23/facebook_firefox_parakey/
Spammers dump images, switch to PDF files (23 July 2007)
http://www.channelregister.co.uk/2007/07/23/spammers_switch_to_pdf/
Your boss could own your Facebook profile (16 July 2007)
http://www.theregister.co.uk/2007/07/16/social_networking_profiles_company_property/
Security consultant's blog found pushing crudware (4 July 2007)
http://www.channelregister.co.uk/2007/07/04/security_blog_pushes_crudware/
US House passes another anti-spyware bill (7 June 2007)
http://www.channelregister.co.uk/2007/06/07/anti-spyware_legislation_passed/
Judge pours generous portion of cold water on Zango (6 June 2007)
http://www.channelregister.co.uk/2007/06/06/zango_request_denied/
Adware poses as ActiveX control (17 April 2007)
http://www.channelregister.co.uk/2007/04/17/adware_activex_control/
MSN punts 'scareware' (21 February 2007)
http://www.channelregister.co.uk/2007/02/21/msn_messenger_scareware/
Silence and 'scareware' epidemic at MySpace (27 January 2007)
http://www.channelregister.co.uk/2007/01/27/myspace_scareware_myscare/
MySpace slams ad networks over 'scareware' (24 January 2007)
http://www.theregister.co.uk/2007/01/24/myspace_accusation/
Bogus anti-spyware firm fined $1m (5 December 2006)
http://www.channelregister.co.uk/2006/12/05/washington_anti-spware_lawsuit/