Looks like spammers are taking advantage of one of social networking’s weakest links: narcissism.
Narcissism fuels “friend collecting,” which is the practice of either aggressively pursuing connections with friends of friends one barely knows, or indiscriminately accepting friend requests from unknown people. Oftentimes, the latter users check mutual friends prior to admitting a requester into their Facebook lives. This is a terrible attempted safety measure because the mutual friends might have already been duped into the add. Now, friend collectors are being taken to task by spammers who take advantage of their social networking naïveté.
With help from Tom Eston, senior security consultant from SecureState, I dug into these scams.
  1. Here’s how it works: Spammer creates a fake account.
  2. Spammer friends popular people on Facebook. The most popular users tend to have more than 2,500 “friends” and are less discriminating with their friend adds.
  3. Spammer tags the people that have accepted them as their friend on their profile picture.
  4. Friends of the person tag see this picture in their news feeds, which in the case of the below example, might persuade a click-through since the fake profile photo is usually that of a cute girl (clearly, a “super uber bored” one).
The blurred out link actually goes to a malicious site, which could be intended to do anything from phish credentials to proliferating malware. As you can see by the below example, the fake profile owner tags multiple people in the picture at once in order to try to get as many unsuspecting clickers as possible.
The best way to avoid being victimized by these types of spammers, of course, is not adding people unless you absolutely, unequivocally know who they are. Also, there are privacy settings that allow users to better lock down visibility of the photos in which they are tagged. This is possible through Facebook privacy settings by selecting “Photos and Videos I’m Tagged In” to “Only Me”. This option is a bit buried within the customized privacy settings, but the below screen shot shows the option.
Again, the best way to avoid being a victim of this scam is to avoid adding people you haven’t thoroughly vetted. If you must friend collect, the above privacy option should help keep you and your friends safe. However, if you do friend collect, chances are you’re friends with a lot of other friend collectors who could fall prey to this issue, too.