Survey Scammers Exploit Plans to Give People Facebook.com Email Addresses

Security researchers warn that survey scammers are trying to capitalize on Facebook's legit intention of offering all of its users @facebook.com email addresses.

An ongoing scam produces spam messages reading "Just got my own email @facebook.com! Quickly get one before someone takes your name [link]"

In November Facebook announced a new unified messaging system, which will allow people to send and receive email, SMS and instant messages, all in a single place.

Part of this new feature, which will be slowly rolled out to users in upcoming months, is to give them all @facebook.com email addresses.

And it seems that scammers are already trying to exploit people's interest in securing a cool name for their address in advance.

Clicking on the spammed link takes users to a well designed page reading: "Know first and reserve your facebook e-mail. Click here for your own you@facebook.com e-mail address."

Hitting the button prompts a "request for permission" dialog from a rogue app that wants access to post on people's walls and read their profile data.

This ensures the rapid propagation of the scam, as agreeing to grant the requested permissions results in spam being posted from people's accounts.

If they go so far, users will see a page with a form to input their desired @facebook.com address and their current email.

However, they can't use the form because of a "Security Check" which asks them to complete a 30-seconds test first.

The tests are deceptive surveys that try to sign them up for premium rate services, earning the scammers a lot of money in the process.

Victims should got to "Account > Privacy Settings > Applications and Websites" and revoke the permissions given to the rogue app. They are also strongly advised to remove the spam messages posted on their walls.

"Note, these scam messages are not connected with Facebook's genuine plans to give everyone a @facebook.com public email address. Facebook expects to roll out that service more widely in the coming months, and will use your 'publicusername' when live," advises Graham Cluley, senior technology consultant at Sophos.