Van Gogh Museum fan page hit by Facebook scammers, Sophos reports
February 2011 by Sophos
Sophos is advising businesses to review their Facebook security practices, following news that the Facebook page for the Van Gogh Museum in Amsterdam has been targeted by scammers.
Messages were posted on the compromised page, including links to a version of the money-making scam "I was logged into Facebook for XXXX hours in 2010" that Sophos has previously warned Facebook users about.
The Van Gogh Museum has posted an update on its page, apologising for the spam messages and asking how it can prevent the abuse happening again:
"We’re so sorry about the automatic spam messages that seem to keep on appearing on this page about the hours we’ve been loged on to facebook. We did not post these! Does anyone know how we could prevent this happening again?"
On this occasion, the scammers appear to have posted messages to the Van Gogh Museum’s Facebook page via the ’Mobile Uploads’ photo gallery.
This facility allows Facebook users to post status updates to a Facebook page remotely by sending an email to a unique address - every Facebook account has a specific email address for this purpose.
"If someone was able to work out the museum’s unique email address for uploading mobile photographs, then they would be able to post photos - and links to their survey scams - with ease," said Graham Cluley, senior technology consultant at Sophos. "It may, therefore, be time for the museum to refresh its mobile upload email address."
Firms using Facebook are advised to implement strict security best practices to reduce the chances of falling victim to survey scams and spam campaigns that could affect other Facebook users.
"All of the Van Gogh Museum’s Facebook administrators will need to clean out any rogue applications that they may have mistakenly allowed to access their Facebook profiles, and make sure that they have chosen hard-to-crack unique passwords," added Cluley.