Van Gogh Museum hit by Facebook scammers

Filed Under: Facebook, Mobile, Rogue applications, Social networks, Spam

Van GoghThe Van Gogh Museum in Amsterdam is famous for having the world's largest collection of Vincent Van Gogh's drawings and paintings. But it has another reason to draw our attention today - scammers have managed to compromise its official Facebook presence.

Regular readers of Sophos's Naked Security site will be only too familiar with the survey scams that plague Facebook, spread usually via rogue applications that have used social engineering to trick innocent users into giving their permission to post to their walls.

What may surprise some is that this isn't just a problem for your personal Facebook pages - it can also affect fan pages which you may administer (for instance, pages which represent your organisation or company).

In other words, if your personal page falls foul of a scam then the bad guys can also automatically post messages to your company Facebook page too - potentially impacting the thousands of fans you have been carefully nurturing.

Van Gogh Mobile upload photo

Clicking on the link takes you to a version of the money-making "I was logged into Facebook for XXXX hours in 2010" scam that we have warned Facebook users about before.

The Van Gogh Museum has posted an update on its page, apologising for the spam messages and asking how it can prevent the abuse happening again:

Click for larger version

We're so sorry about the automatic spam messages that seem to keep on appearing on this page about the hours we've been loged on to facebook. We did not post these! Does anyone know how we could prevent this happening again?

Normally, it's pretty straight forward to clean-up your Facebook account after being hit by a survey scam. I described how to do it in a video I made late last year, where I show how you can clean out rogue applications that you have mistakenly allowed to access your Facebook profile.

I would suggest that all of the Van Gogh Museum's Facebook administrators follow that advice and make sure that they have locked down their Facebook profiles appropriately and chosen hard-to-crack unique passwords.

But there may be another issue.

The scammers have posted messages to the Van Gogh Museum's Facebook page via the Mobile Uploads photo gallery.

That's the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

If someone was able to work out the museum's unique email address for uploading mobile photographs then they would be able to post photos (and links to their survey scams) with ease.

It may, therefore, be time for the museum to refresh its mobile upload email address. By the way, it's not clear to me if you can tell Facebook to not allow any email address to be used for mobile uploads, but I would imagine that many institutions would find the permanent blocking of the feature attractive.

There's a lesson here for everybody, of course. If your company runs a Facebook page then you and your administrators will need to be on their toes to prevent harm being done if scammers manage to compromise it.

Learn more about the different threats which Facebook users and companies face by joining the Sophos page on Facebook.

Hat tip: Thanks to Naked Security reader Aniko for informing us about the incident involving the Van Gogh museum.

, , , , , , ,

You might like

4 Responses to Van Gogh Museum hit by Facebook scammers

  1. Aras · 1702 days ago

    Isn't it so that all photos uploaded through the email interface end up in the same album, called something like "Mobile uploads" or so? If that is the case, a fix would be to limit the visibility of that album in the privacy settings.

  2. Ayan Jobse · 1699 days ago

    Dear Graham, I suffer from the same spam as the Van Gogh Museum, and your recommendations are unfortunately not useful. This doesn't appear to be an app you can simply remove, and the uploads are not done using the mobile posting e-mail address because then they would be tagged with "by e-mail" on the wall. In stead, they are uploaded into the Mobile uploads folder, which contains photo's that were uploaded from the Smarthpone app...
    That's how far I got, I still don't know how to block this however.

  3. Sylvia · 1697 days ago

    Dear Graham and Ayan, I have the same problem! It is really annoying and I can't wait to find a solution for blocking this. It is exactly like Ayan described it.
    Maybe anyone passes by who can help.

  4. Sylvia · 1697 days ago

    Hey, I found a site where they mention a solution:
    Go to:
    "reset adress"
    By this it looks like you get a new upload adress and the spam can't reach your FB anymore!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley