Cybercriminals are exploiting the Facebook API, the interface that allows developers to create apps for Facebook, to spread malicious links to groups all over the social network, and Facebook is doing nothing to stop it. The links have been found to contain the Zeus virus, a notorious malware capable of draining bank accounts, and are targeted at professional sports fans.

The International Business Times previously reported how reports of the Zeus malware have risen steadily in 2013, with hackers targeting NFL fan groups like Los Angeles NFL Fan Connection. Now, hackers are turning their attention to Eurpoean football clubs, which are known for large and intensely engaged fan bases, and exploiting the hype around the exciting NBA Finals series.

While not all of the scams are the same, advocacy groups like Fans Against Kounterfeit Enterprise detected that many of these links are serving up malware like Zeus. FAKE worked Malloy Labs to trace them back to Russian servers owned by a crime syndicate that specializes in malware, identify theft and child pornography.

What is troubling about these links is that many of them say they were posted “via Graph API Explorer.” This is a tool used by developers when building Facebook apps. Programmers can use it to query data, create posts, create check-ins and just about everything else one can do on Facebook. There is an even an option to create “Access tokens,” which allow for an app to access a user’s status, groups and many others.

It appears that hackers are exploiting the Graph API Explorer to spread malicious links to groups that a compromised user account belongs to.

“Facebook isn’t doing anything to protect its most serious assets,” Eric Feinberg from FAKE told IBTimes. Feinberg said that he has pointed this problem out to Facebook but has not seen any changes happen.

Feinberg said the security flaw allows malicious hackers to engage in social engineering, a type of trick that dupes people into giving up information by posing as a trusted source. By hijacking accounts that “Like” sports and posting malicious links about cheap jerseys or a live stream of the NBA Finals, their friends are more likely to trust the link. Social engineering allows the malware to spread wider and more rapidly. A solution should be easy: Just close off the Graph API Explorer. 

IBTimes asked Facebook about malicious links being posted through the Graph API Explorer but has not received a response.

Recently, a large number of malicious links triggered Facebook to block users on accessing the social network with Tor. The issue has been resolved but revealed how much malware is currently assaulting Facebook.

The links containing the Zeus malware tend to feature “.tk” in the URL. Watch out for these links and anything posted from the Graph API Explorer. The malware cannot affect computers running Apple OS X or Linux, so Windows users need to be especially vigilant.   

Follow Ryan W. Neal on Twitter