Facebook Colon Cleansing spam via Mobile Web

UPDATE: I should make clear that whilst Facebook believe this attack to be related to earlier account phishing activity, more than one victim has assured me that they have not logged into facebook for some while and are certain they have not fallen for a phishing scam. It is certainly true that code has been published on more than one site that uses the Facebook mobile portal to push status updates to a facebook profile.



A few people have contacted me over the last few days, concerned about spam status messages that were being posted on their Facebook accounts.

FB msg


The Messages advertise a supposed weight-loss URL (colonrevi.com) which was earning through an affiliate scheme. That URL has already been suspended for abuse, but at the time of the attack it redirected visitors to cleancoloncleanse.com, a site peddling a spurious dietary aid, CleanseProX. I think their own disclaimer at the bottom of the page backs up my use of the word spurious.


CleanseProX Disclaimer

CleanseProX Disclaimer



The site employs many tricks familiar to fake pharmaceutical scams and rogue AV alike, wildly exaggerated claims of effectiveness, attempts at credibility by association with unrelated content (this site was showing a CBS News video entitled “Conquering colon cancer”) and the unlinked images intended to prove the security of the product or service.

order form

CleanseProX order form


One interesting addition to this was the use of a fake real-time chat window that pops up when you try to navigate away from the site. The window masquerades as a real person responding to concerns and offering half-price shipping to get your order but is in reality a very poorly disguised automated script. In this case it is programmed to respond to words like “scam”, “con” and “real” to assure the victim that this of course is not a scam and that they are talking to a real person, when the reverse is clearly the case. They didn’t have too much to say when I asked them about the compromised Facebook profiles…


CleanseProX Intellichat window


You can see from the screen shot that the service is provided by a company called Intellichat, who are very clear on their website that they provide scripted responses rather than live chat. You have to wonder though why they are willing to script responses which are blatant falsehoods, such as the below.


CleanseProX Intellichat window


CleanseProX is promoted by a company called Teloxys Technologies Limited, a quick Google search reveals that they are also connected with products such as TrimBerryAcai, CleanseHerbal, Naturacai and Resveratin(an “anti-aging” pill)…  CleanseProX doesn’t appear to have too many satisified customers either (yes, people do actually fall for this)

Image from complaintsboard.com

Image from complaintsboard.com


I have been talking to the good folk over at Facebook about this latest account hijacking activity and they think that it is the result of a previous credential phishing attack. The spam updates in this particular attack so far all appear to originate from “Mobile Web“. This does not mean that scammers are abusing your profile via SMS as some victims have feared, only that they are using m.facebook.com (the portal designed for mobile users) to send their spam. SMS updates would show up as origintating from “Mobile texts“. So if you have fallen victim to this, you should change your passwordimmediately. Facebook users should keep an eye on the Facebook Security blog for updates on the latest threats they are seeing.

35 thoughts on “Facebook Colon Cleansing spam via Mobile Web

  1. Cris

    I had a similar problem, but the message was related to making money at home. The funny thing is that I got a text message on my iPhone at 6:30 AM yesterday morning that had the same basic text. At around 10 am I noticed that my Facebook status said something similar. I deleted it without thinking to look and see if I received the text message before or after the matching status update occurred. I don’t know if / how those two things are related, but it was definitely strange. I’d like to think that I’m too smart to fall for a phishing scam and I don’t recall logging into anything unusual on my PC. My PC has a cookie so that I don’t need to enter my Facebook username and password through Firefox, but my Internet Explorer has been acting strangely for months though. (when I shut down my PC each night, it insists there are updates to be done).

  2. Pingback: Facebook Status/Wall Hack Making the Rounds

  3. Phil

    Sounds like this is related to mobile apps. Only happened since I have enabled the mobile app for my Android (Htc Magic). Not convinced that this one is user error and reckon there is some bug being exploited in Facebook apps.

  4. annoyed

    This happened to me at 2:30am EST – I woke up to my iPhone dinging because of new emails I received. There were 10 new wall posts from myself and they were the email notifications. I then logged into FB on my Mac and roughly the first 50-100 of my friends received the same wall post. Because I was awake and didn’t want my friends to click on those I proceeded to remove those wall posts from each and every one of my friends. I don’t know how or when I was a victim of this phishing scam…is there something wrong with my iPhone FB app?

  5. Shadow

    Looks like it’s time for Round 2…

    xxx made $(variable amount) today working online! u guys have to check out WorkHomeDream.net to get started too!
    24 minutes ago via Mobile Web · Comment · Like

    I wonder if my friend actually changed her password…

  6. Twitch2021

    I just wanted to mention that the Order Form image posted in this article is identical to one I’ve encountered via spam on Craigslist. When responding to a personal ad spammers try to redirect respondents to a bogus website (it’s different all the time) that they claim is an adult dating site and that they use it to verify that the people they’re meeting aren’t “sexual predators” or whatever. The “Sign up” page looks exactly like the order form above, complete with unlinked images to prove security.

  7. Nida

    My facebook status got updated by something similar (PurgeColon.net). Changed my password, but how can we prevent this from happening again?

  8. sebish

    I’m getting the same thing from my phone, it seem to pair up with when I installed a custom WebMo Distribution (From XDA Developers) I put on to my phone.

  9. Esau

    I dunno, I use no apps in my facebook, click only friends pages & still I had this happen and while I was using facebook even – after seeing the update I did change my password, both on facebook & the email I used to register, then after doing that I changed the email address tied to my facebook account (created a gmail just for it) just in case.

    Still, I have never done one of those silly polls, added any apps or 3rd party addons. I’d like to know how they got into my account. I really only use it once or twice a week as it is, but now I am stopping by daily to see if anything has changed.

  10. dee

    i wen to this website filled in the form and master card detais, but the there was one box i did not fill it was coz i did not know what it meant it was some sort of code just after the master card details, so am i safe ?

  11. Alan

    The entire goal of “phishing” someone is to dupe them out of their password by representing the site they are logging in to as the real site. Of course you don’t know that you have visited a phishing site, had you known, they wouldn’t have your password now.

    The solution is quite simple, change your password.

  12. Anon

    Same think happened here…

    Two status updates in about 3 days.

    I used facebook on my HTC Hero (Android), didn’t happen before that

  13. Pingback: Terry Ogaki.com» Facebook Status/Wall Hack Making the Rounds

  14. Javier

    Hi, I have the same problem with the changing status and expresscolon.net… I have never used mobile facebook.

    Three days ago I was at my facebook profile and decided to change my privacy settings, when I clicked the link the red notification of microsoft appeared and said that the site might be insecure. I didn’t pay attention to it, I didn’t think it might be phising because I was entering from inside facebook, not other site and the problem has ocurred since that day so I think that’s might be the reason.

  15. Pingback: Help! Virus via facebook! - BlackBerry Forums at CrackBerry.com

  16. Mike

    Ok, But the big question is how to stop it? Will just changing you password do it. I have never gone to a phishing website. I have scanned my computer for spyware malware and viruses.
    I started to get the messages as soon as I used facebook on my iPhone.

  17. Martin

    I got the same message with “lost 8 1/2 pounds in two weeks….” in my status on Facebook. This happended only seconds after I have received a popup that looked like it was from Facebook with a Facebook session timeout message. It asked for the password. I thought about it for a second because I am sooo careful but obviously this wasa phishing scam. Now, I wonder where this popup came from….I usually only go to the same sites. Watch out! I immediately changed my Facebook password and other passwords to be on the safe side.

  18. anton

    happened to me a few days ago. Received email but no confirmation code. called their customer care and they said their system was down. Will dispute the credit card charge if and when a bill arrives. Darn scammers. I pray interpol catches them and punishes them for these illegal acts

  19. Wow

    Wow Cade you are the biggest idiot i’ve seen in a long time. Morons like you are the reason we have ot deal with spammers today.

  20. Cade

    Oh for anyone interested, they don’t send a confirmation, the ‘cancel order’ button doesn’t work, and the email address supplied *when you send an abusive message like I did* basically gets rejected. *stomps around some more and smacks his head on the desk* !

  21. Cade

    Well how about this – can ASSURE you I have never done this before, but seeing the purgecolon.net thing on a friends update and actually myself looking to lose weight I went on and ordered the freaking thing. Now they have my credit card details, address (lucky I’m not in UK or US though) and now I have to call the bank and cancel my damned credit card *sigh*.
    First time, and LAST time I ever do something stupid like this !!

  22. Jamie Jolliffe

    I can DEFINITELY confim that this just (within the past hour) happened on my facebook page. I am the IT Manager for my company so I can assure you I have NEVER logged into a phishing site and that my system is not infected with Koobface or another worm. My supposed update was via “Mobile Web” and said “I lost 8 1/2 pounds in only 2 weeks with this new pill! visit PurgeColon.net to get your free trial pack! vUk”

  23. tara

    i had the same message posted as my facebook status, and i have never before visted the site. i have never even had or researched a colon cleanse! this is annoying, but can they do any damage?

  24. Pingback: Colon Cleansing Spam Running Through Facebook | Everything's Social

  25. Pingback: Colon Cleansing Spam Running Through Facebook | GeekStream Gadgets

  26. Anthony Johnson

    The company is TELOXYS TECHNOLOGIES LIMITED and is registered in the UK at:


    There Registration number is:

    06819281 – Registered at Companies House on 13/02/2009

    As for anything else… they don’t have much of credit reports or any earnings

    Emails i couldn’t find one that worked.

    If anyone could find an email that would be great

  27. Pingback: Tweets that mention Facebook Colon Cleansing spam via Mobile Web » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *