Is a Facebook security hole helping hackers spread iPhone 4 spam?

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Is a security weakness on Facebook allowing cybercriminals to post spam messages directly onto users’ walls?

Overnight, a number of users have been seen posting messages like the following on their Facebook
walls:

Apple is giving away 1000 Iphone4s i just got mines =)

Apple is giving away 1000 iPhone4s I just got mines =)

Of course, Apple isn’t really giving away 1000 iPhone 4 smartphones, and clicking on the link takes you to a website which promotes a “make money fast” scheme, attempting to recruit home workers.

Tempted? I didn’t think you would be. But maybe some users in these cash-strapped times would be interested in discovering how they could make some extra pennies.

Even if you aren’t interested, you’ll find that the webpage is pretty determined for you not to leave without signing-up..

What’s particularly interesting is that this latest wave of spam messages say they were posted “via Email”.

That’s the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

My guess is that the facility may have been compromised, and scammers have found a way to update users’ statuses of users by sending an email message directly to their walls.

We saw an attack apparently using the same technique last month, posting messages from users’ accounts saying that they had claimed a free iPhone.

Again, on that occasion, users ended up being taken to a “make money fast” website.

We have sent a message to Facebook’s security team, asking them to look into this latest attack. Hopefully they will be able to shut it down, and investigate if a security flaw exists.

You must think before you click on links on Facebook. If something sounds too good to be true, it probably is. You can learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.