Is a Facebook security hole helping hackers spread iPhone 4 spam?

Filed Under: Apple, Facebook, Mobile, Social networks, Spam

Is a security weakness on Facebook allowing cybercriminals to post spam messages directly onto users' walls?

Overnight, a number of users have been seen posting messages like the following on their Facebook

Apple is giving away 1000 Iphone4s i just got mines =)

Apple is giving away 1000 iPhone4s I just got mines =)

Of course, Apple isn't really giving away 1000 iPhone 4 smartphones, and clicking on the link takes you to a website which promotes a "make money fast" scheme, attempting to recruit home workers.

Tempted? I didn't think you would be. But maybe some users in these cash-strapped times would be interested in discovering how they could make some extra pennies.

Even if you aren't interested, you'll find that the webpage is pretty determined for you not to leave without signing-up..

What's particularly interesting is that this latest wave of spam messages say they were posted "via Email".

That's the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

My guess is that the facility may have been compromised, and scammers have found a way to update users' statuses of users by sending an email message directly to their walls.

We saw an attack apparently using the same technique last month, posting messages from users' accounts saying that they had claimed a free iPhone.

Again, on that occasion, users ended up being taken to a "make money fast" website.

We have sent a message to Facebook's security team, asking them to look into this latest attack. Hopefully they will be able to shut it down, and investigate if a security flaw exists.

You must think before you click on links on Facebook. If something sounds too good to be true, it probably is. You can learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

, , ,

You might like

10 Responses to Is a Facebook security hole helping hackers spread iPhone 4 spam?

  1. Brian · 1787 days ago

    That would suck, especially if advertised through something as personal as facebook. For one I would suggest better security tecniques. Encryption is something that many websites seem to slack on, but then again many devices do the same by not or only partially supporting the latest security algorithms. Https would be a start throughout the entire site and not just for the initial login. Also better monitoring of accounts and possibly some kind of script to intelligently sniff out these malicious posts or
    links and remove them.

  2. Seba · 1787 days ago

    I also came to notice that facebook link scam is spreading more and more. Facebook should seriously look after this problem. I can't believe people still fall for that kind of scam, though. Maybe you should reccomend this little helper here: . :) Take a look (if you know German that is).

  3. Calum · 1787 days ago

    Facebook & Security seem to be mutually exclusive terms.
    So, how can you rate Facebook on these terms?

  4. Sandy · 1787 days ago

    You should post how to stop this kind of thing when it happens. This is only for those spammed to their wall “via Email” Follow these instructions:
    Go to “Account Settings”….Click on the “Mobile” tab. Then click on “Go to Facebook Mobile” Then click on “Send Me My Upload Email” At the bottom of the paragraph titled “Tips” there is a link to refresh your upload email…click that. Just remember that FB will only allow you to refresh this email only a few times.

  5. Bluezz · 1787 days ago

    Facebook and Security are oxymorons??? They are also an antonym because although they seem incompatible, they fit the criteria of 'inheritness'. It's a given that when you say Facebook, you think insecure/unsafe.

  6. Thank you for this post. The business page that I'm the admin on ( has been affected by this spamming problem since the weekend (4 days and counting). We have reset our "upload via email" address several times since then but the iPhone 4 spamming messages "via email" continue. If you have any more pointers about how to solve this problem we would be extremely grateful. Our Facebook followers were initially sympathetic and are now getting a little angry!

    • Hard to say without seeing your account but one thing I would look at is this...

      Check all the accounts belonging to your page's administrators. Make sure that all of them are squeaky clean (no rogue apps, new carefully-chosen strong passwords that can't be easily broken through brute force, harden your privacy settings, refreshed mobile email addresses)

      You could also contact Facebook security and ask them what on earth is going on..

  7. Desperate · 1783 days ago

    im having the same problem as intelligence, i never even filled out 1 of those survey things... ive reset my email a few times, how can i get it to stop? please help..

    • Maybe it's time to change your password to something unique, and hard-to-guess (NOT a dictionary word).

      Double-check all the applications that have access to your profile, and revoke permissions for any that you don't feel are essential.

      Good luck.

      • Still desperate · 1782 days ago

        i'd say my passwords are pretty good and ive changed it about a dozen times, i dont think there's anyway they could guess it that many times.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley