Van Gogh Museum hit by Facebook scammers

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Van GoghThe Van Gogh Museum in Amsterdam is famous for having the world’s largest collection of Vincent Van Gogh’s drawings and paintings. But it has another reason to draw our attention today – scammers have managed to compromise its official Facebook presence.

Regular readers of Sophos’s Naked Security site will be only too familiar with the survey scams that plague Facebook, spread usually via rogue applications that have used social engineering to trick innocent users into giving their permission to post to their walls.

What may surprise some is that this isn’t just a problem for your personal Facebook pages – it can also affect fan pages which you may administer (for instance, pages which represent your organisation or company).

In other words, if your personal page falls foul of a scam then the bad guys can also automatically post messages to your company Facebook page too – potentially impacting the thousands of fans you have been carefully nurturing.

Van Gogh Mobile upload photo

Clicking on the link takes you to a version of the money-making “I was logged into Facebook for XXXX hours in 2010” scam that we have warned Facebook users about before.

The Van Gogh Museum has posted an update on its page, apologising for the spam messages and asking how it can prevent the abuse happening again:

Click for larger version

We’re so sorry about the automatic spam messages that seem to keep on appearing on this page about the hours we’ve been loged on to facebook. We did not post these! Does anyone know how we could prevent this happening again?

Normally, it’s pretty straight forward to clean-up your Facebook account after being hit by a survey scam. I described how to do it in a video I made late last year, where I show how you can clean out rogue applications that you have mistakenly allowed to access your Facebook profile.

I would suggest that all of the Van Gogh Museum’s Facebook administrators follow that advice and make sure that they have locked down their Facebook profiles appropriately and chosen hard-to-crack unique passwords.

But there may be another issue.

Sign up to our free newsletter.
Security news, advice, and tips.

The scammers have posted messages to the Van Gogh Museum’s Facebook page via the Mobile Uploads photo gallery.

That’s the facility Facebook supplies to post status updates to your Facebook page remotely, just by sending an email to a unique address (every Facebook account has a specific email address for this purpose).

Upload email

If someone was able to work out the museum’s unique email address for uploading mobile photographs then they would be able to post photos (and links to their survey scams) with ease.

It may, therefore, be time for the museum to refresh its mobile upload email address. By the way, it’s not clear to me if you can tell Facebook to not allow any email address to be used for mobile uploads, but I would imagine that many institutions would find the permanent blocking of the feature attractive.

There’s a lesson here for everybody, of course. If your company runs a Facebook page then you and your administrators will need to be on their toes to prevent harm being done if scammers manage to compromise it.

Hat tip: Thanks to reader Aniko for informing us about the incident involving the Van Gogh museum.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.