Is a Facebook security hole helping hackers spread iPhone 4 spam?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Is a security weakness on Facebook allowing cybercriminals to post spam messages directly onto users’ walls?

Overnight, a number of users have been seen posting messages like the following on their Facebook
walls:

Apple is giving away 1000 Iphone4s i just got mines =)

Apple is giving away 1000 iPhone4s I just got mines =)

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, Apple isn’t really giving away 1000 iPhone 4 smartphones, and clicking on the link takes you to a website which promotes a “make money fast” scheme, attempting to recruit home workers.

Tempted? I didn’t think you would be. But maybe some users in these cash-strapped times would be interested in discovering how they could make some extra pennies.

Even if you aren’t interested, you’ll find that the webpage is pretty determined for you not to leave without signing-up..

What’s particularly interesting is that this latest wave of spam messages say they were posted “via Email”.

That’s the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

My guess is that the facility may have been compromised, and scammers have found a way to update users’ statuses of users by sending an email message directly to their walls.

We saw an attack apparently using the same technique last month, posting messages from users’ accounts saying that they had claimed a free iPhone.

Again, on that occasion, users ended up being taken to a “make money fast” website.

We have sent a message to Facebook’s security team, asking them to look into this latest attack. Hopefully they will be able to shut it down, and investigate if a security flaw exists.

You must think before you click on links on Facebook. If something sounds too good to be true, it probably is. You can learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.