The Van Gogh Museum in Amsterdam is famous for having the world’s largest collection of Vincent Van Gogh’s drawings and paintings. But it has another reason to draw our attention today – scammers have managed to compromise its official Facebook presence.
Regular readers of Sophos’s Naked Security site will be only too familiar with the survey scams that plague Facebook, spread usually via rogue applications that have used social engineering to trick innocent users into giving their permission to post to their walls.
What may surprise some is that this isn’t just a problem for your personal Facebook pages – it can also affect fan pages which you may administer (for instance, pages which represent your organisation or company).
In other words, if your personal page falls foul of a scam then the bad guys can also automatically post messages to your company Facebook page too – potentially impacting the thousands of fans you have been carefully nurturing.
Clicking on the link takes you to a version of the money-making “I was logged into Facebook for XXXX hours in 2010” scam that we have warned Facebook users about before.
The Van Gogh Museum has posted an update on its page, apologising for the spam messages and asking how it can prevent the abuse happening again:
We’re so sorry about the automatic spam messages that seem to keep on appearing on this page about the hours we’ve been loged on to facebook. We did not post these! Does anyone know how we could prevent this happening again?
Normally, it’s pretty straight forward to clean-up your Facebook account after being hit by a survey scam. I described how to do it in a video I made late last year, where I show how you can clean out rogue applications that you have mistakenly allowed to access your Facebook profile.
I would suggest that all of the Van Gogh Museum’s Facebook administrators follow that advice and make sure that they have locked down their Facebook profiles appropriately and chosen hard-to-crack unique passwords.
But there may be another issue.
The scammers have posted messages to the Van Gogh Museum’s Facebook page via the Mobile Uploads photo gallery.
That’s the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).
If someone was able to work out the museum’s unique email address for uploading mobile photographs then they would be able to post photos (and links to their survey scams) with ease.
It may, therefore, be time for the museum to refresh its mobile upload email address. By the way, it’s not clear to me if you can tell Facebook to not allow any email address to be used for mobile uploads, but I would imagine that many institutions would find the permanent blocking of the feature attractive.
There’s a lesson here for everybody, of course. If your company runs a Facebook page then you and your administrators will need to be on their toes to prevent harm being done if scammers manage to compromise it.
Hat tip: Thanks to reader Aniko for informing us about the incident involving the Van Gogh museum.