Toni, one of the members of the Sophos Facebook page, just got in touch with me asking if I’d seen the latest scam spreading virally across the social network.
Users are seeing messages posted by their online friends about teen popstar Miley Cyrus. They look like the following:
SICK! I lost all respect for Miley Cyrus when I saw this photo
We have seen a number of different URLs being used in the messages, but they all redirect to a page which shows a traffic sign-like image of the word “respect” crossed out in red.
The page also says “SICK! I lost all respect for Miley Cyrus when I saw this photo” followed by a large flashing graphical button labelled “CLICK HERE” under the message “Please click here, then ALLOW to see the photo.”
Regular readers of Naked Security like Toni will already be smelling something fishy at this point, but there will inevitably be some Facebook users who will feel compelled to explore further.
I’ll save you the trouble of risking your Facebook account, by explaining what happens next.
If you do click on the “CLICK HERE” button you will be taken to a standard Facebook application permissions dialog, which asks for you to approve the third-party app to access your personal data, send you emails, post status messages and pictures to your wall.
It’s hard to believe that people would allow this to happen, but if you’re desperate to see a picture of Miley Cyrus which will make you lose all respect for her (the mind boggles..) then you may well click further on.
Unfortunately continuing is a mistake, as you will be lead directly to a CPALead survey, which earns the scammers money every time one of their dumb questionnaires is answered.
The scammers only need a few people to complete their survey to make it financially worthwhile to build rogue applications like this – that’s why there are so many of them. If only Facebook took a tougher line about the applications it allowed on its network.
If you’ve been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites.
Here’s a quick YouTube video where I show you how to clean-up your Facebook account from such an attack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
If you’re a member of Facebook and want to learn more about security threats you should join the thriving community on the Sophos Facebook page.
Do you think Facebook is doing enough to stamp out survey scams like this, or is it the fault of the Facebook users themselves? Let us know what you think by leaving a comment below.