Is a Facebook security hole helping hackers spread iPhone 4 spam?

Is a security weakness on Facebook allowing cybercriminals to post spam messages directly onto users’ walls?

Overnight, a number of users have been seen posting messages like the following on their Facebook

Apple is giving away 1000 Iphone4s i just got mines =)

Apple is giving away 1000 iPhone4s I just got mines =)

Of course, Apple isn’t really giving away 1000 iPhone 4 smartphones, and clicking on the link takes you to a website which promotes a “make money fast” scheme, attempting to recruit home workers.

Tempted? I didn’t think you would be. But maybe some users in these cash-strapped times would be interested in discovering how they could make some extra pennies.

Even if you aren’t interested, you’ll find that the webpage is pretty determined for you not to leave without signing-up..

What’s particularly interesting is that this latest wave of spam messages say they were posted “via Email”.

That’s the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

My guess is that the facility may have been compromised, and scammers have found a way to update users’ statuses of users by sending an email message directly to their walls.

We saw an attack apparently using the same technique last month, posting messages from users’ accounts saying that they had claimed a free iPhone.

Again, on that occasion, users ended up being taken to a “make money fast” website.

We have sent a message to Facebook’s security team, asking them to look into this latest attack. Hopefully they will be able to shut it down, and investigate if a security flaw exists.

You must think before you click on links on Facebook. If something sounds too good to be true, it probably is. You can learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.