Cluley identified the scam 18 months ago, but explained that Facebook has not taking action to stop it. “Once you have handed access of your account over to a rogue app, the scammers behind it can post whatever they like to your profile – including spammy and malicious links”, he wrote on the Naked Security blog.
“I'm sure Facebook's security team have the best intentions, but my guess is that they are putting less focus on rogue apps and survey scams than other attacks on the site's 900 million users. These scams may not be as important as Facebook-aware malware and site-wide vulnerabilities, but they still need to be dealt with”, he lamented.
Cluley blamed Facebook for not vetting applications for malware, which enables criminals to hijack Facebook accounts. He stressed that Facebook does not provide users with a way to find out who has been viewing their profiles.
The Sophos researcher advised Facebook users: “If you mistakenly installed a rogue app, remove the messages from your timeline, revoke the app's publishing rights and report it as spam to Facebook, and ensure that you have revoked its access to your account.”