Facebook birthday T-shirt scam steals secret mobile email addresses

Facebook scams are getting sneakier and sneakier – with the latest attack using the lure of a free T-shirt celebrating Facebook’s birthday in an attempt to steal the secret backdoor key to your account.

The offer seems attractive enough – a webpage claiming to celebrate Facebook’s 7th birthday, saying that it has over 1.9 million official T-shirts in stock.

Facebook birthday t-shirt scam

All you have to do is verify that you are a Facebook user, claims the following webpage. And this is where things get very sneaky.

Facebook birthday t-shirt scam

The webpage tells you to visit Facebook Mobile, and find on that page the personalised email address that you can use to post status updates or upload photos and videos straight to your profile.

Many people are probably unaware that such a thing exists – but every Facebook user has a secret mobile email address they can use for this purpose.

The important thing, of course, is to keep it secret. Because if someone else finds it out, they’ll be able to post status messages to your Facebook page or upload videos and photos to your wall – which your friends will be able to see.

The scammers, unsurprisingly, want your secret mobile email address for Facebook. And so they claim that you have to hand it over to verify you are a legitimate Facebook user in order to get your T-shirt.

The scammers have even had the gall to make a YouTube video showing how to find the secret email address on the Facebook Mobile page, and where to enter it on their form:

The above video is made by a YouTube user called “vicsthedevil” and we have to assume that they are intimately involved in the scam. They posted the video on 5 September, the same day that they registered the website domain name where they are hosting their scam.

Of course, you’re still hoping that you’re going to receive a free T-shirt. So you may not baulk at the idea of completing a survey (which, by the way, earns commission for the scammers) and giving them your snail mail details so they can send through your free gift.

Facebook birthday t-shirt scam

Good luck, by the way, on that T-shirt. My hunch is that you won’t ever receive one. But the scammers now have the ability to post to your Facebook page and upload pictures to your account, and you have helped them earn some money in the process.

If you were hit by this scam then you must refresh your Facebook mobile upload email address – that way the bad guys you just gave it too won’t be able to use it as a secret backdoor into your account.

How to refresh your Facebook Mobile upload email address
Some commenters have asked how do you change your Facebook Mobile upload address. Unfortunately, Facebook has made it somewhat tricky to find this option (maybe that’s why the scammers felt they had to make their own explanatory video!).

Visit www.facebook.com/mobile.

Refresh the page until you see an option like that displayed below. You may have to scroll down the page to find it.

Facebook Mobile email address

You should now see your Facebook Mobile upload address. Beneath it you should also see an option to “Find out more”. Click it, and a screen like the following should pop up.

Upload email

On this page you should find an option to refresh your mobile email address – but note! Facebook warns that you can only refresh it a limited number of times.

If you don’t change your mobile email address on Facebook, you’re just asking for trouble. In the past, Facebook pages such as that belonging to the Van Gogh Museum have been hit by scammers who abused the mobile upload feature.

It would be great, of course, if there was a way of telling Facebook to not allow any email address to be used for mobile uploads, as I would imagine that many individuals and companies would find the permanent blocking of the feature attractive.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest issues.


How Facebook ruined Thessa’s 16th birthday party


Popularity is pretty important to many 16 year olds, but perhaps this story highlights that being too popular can suck in a BIG way.

A north-German teen, known as Thessa, was planning her 16th birthday party. Like many of us, she decided to use Facebook to invite her pals.

Unfortunately, Thessa’s invite was sent not only to her connections, but to everyone as a public event.

Before you groan and think her stupid, check out the screenshot of Facebook’s Create an Event page below.

It has “Anyone can view and RSVP (public event)” ticked by default. Now, surely this is a great feature for a promoter or marketing outfit, but pretty awful for the half a billion or so home users who use Facebook to stay in touch with their friends and relatives. I can see why someone might think that “Anyone” refers to all the people a user is connected with, rather than all Facebook users.

Within a few hours, a staggering *15000* Facebook users had RSVPed for the Friday night party. That would put serious fear into any party organiser, let alone a soon-to-be sweet sixteen.

A cancellation notice was quickly fired out, but was ignored by the estimated 1500 people that showed up to her parents’ home in Bramfeld, just north of Hamburg, Germany.

Thessa’s parents reportedly hired a security firm to help them handle the expected masses. Also on hand were 100 police officers, some on horseback, to help keep the peace. They cordoned off the girl’s home, but party goers danced, chanted and drank at its edge.

There are a number of amateur videos of the birthday frenzy on YouTube, but I think this one captures it (the nightmare for the neighbourhood and glee of the attendees) rather well:

While no serious violence has been reported, some media reported that more “enthusiastic” partiers vandalised vehicles nearby and set fire to garbage bins and even a garden shed.

11 arrests were made. And the icing on the cake? Tessa didn’t even get to enjoy any part of it, as she was hiding out at her grandparents’ house.

A recent Comscore report shows a whopping 59% decline in the use of email among 12-17 year olds, and a 34% decline for the 25-34 age brackets. Facebook, SMS and Tweets have taken over as preferred communication methods.

For all you Facebook users out there, let this be a wake-up call. Check settings carefully before you issue invitations. More information on how to review your Facebook settings is available on the Sophos website.

And Thessa – from us at Naked Security: Happy 16th. Hope the year is a happy one for you 🙂