Every few weeks there’s a new scam that makes the rounds on Facebook. This week it’s the “Find out who visits your profile,” scam, which we’ve all seen before. The reason it piques my interest this time is the sheer volume of people falling victim. That coupled with the fact that the victims include some of my more tech-savvy Facebook friends made me want to understand better what exactly the virus is trying to do and how we can all protect ourselves.
The virus works first by gaining access to your Facebook account. Unlike other methods for hacking, which involve somehow accessing your login credentials, this scam needs only for you to click a link posted on your wall or someone else’s wall. To entice you into clicking, the scam offers something lots of people would love to know, but Facebook doesn’t allow: a list of people who’ve viewed your profile. You might receive an e-mail notification that tells you a friend has posted a link on your wall with this context:
“LOL !! Me cant believe that you can see who is viewing your profile! I can see the TOP 10 people and I am really OPENMOUTHED that my EX is still checking my Pix and my Profile. You can also see WH0 CHECKS YOUR PR0FILE here)”
The most important thing to understand about this scam is that you should not click the link. If you don’t click the link and opt-in, the virus is rendered powerless. If you click the link, and you happen to be logged into your Facebook account when you do, the virus immediately goes to work posting the same link and content on your friends’ walls. There’s no way to stop it in progress – the only way to repair the damage is to visit each of your friends’ walls one-by-one and remove the post, or message all and hope they haven’t already clicked the link, as well.
Since there’s an email component to the virus for those who’ve elected in their Facebook settings to be notified via email when someone posts to their wall, we’ve seen a surge in submissions of this scam to PhishTank, the anti-phishing clearinghouse we operate. However, this will not be confirmed as a phish because it acts entirely within Facebook. Note the domain for the below submission is Facebook’s: fb.me
Within social networks users are largely accountable for their own safety. The primary thing to remember: if you have any doubt, don’t click the link. Facebook offers this bit of advice:
“Always use caution when clicking on a link or opening an attachment, even if it’s been sent or posted by a friend or other reputable source. If you have any doubt, get confirmation directly from the sender. Be especially wary of messages that include attractive offers or urgent requests, and watch out for links that require you to immediately provide a login and password.”