Facebook Scammers Create Fake Profiles to Spam Users, Click-Jacking

Scammers are using automated techniques to generate tons of fake profiles to trick users into joining scams and clicking on malicious links, Barracuda Networks found.

CANCUN, MEXICO €” Cyber-crooks on Facebook are creating fake profiles on the social networking site to launch their scams, according to data released by Barracuda Networks.

The fake profiles are overwhelmingly women. About 97 percent of the fake profiles collected by Barracuda Networks turned out to be of women, Paul Judge, chief research officer at Barracuda said in his "FakeBook" presentation at the Kaspersky Lab Security Analyst Summit Feb. 2. Female users account for about 40 percent of real people on Facebook, Judge said.

Many of the profiles are automatically generated, using similar photos, and randomly selecting metropolitan cities, a high school or college near the city and random interests, Judge said. The profiles are aimed at spreading spam or tricking users into joining affiliate programs, all of which translate into real-world money for the scammers.

"Fake users can take over your account, spam your wall and feeds," Judge said.

Judge wasn't exaggerating the possibility of account takeovers. Facebook implemented its Trusted Friends feature in October, where users who can't log into their accounts can ask Facebook to send the unlock code to three of their friends. If the user has accepted enough fake profiles as friends, all the attacker has to do is find three photos of the fakes and get the code to enter the account, Judge said.

The spam and affiliate programs are much more common. For example, users may think an ad campaign for Starbucks gift cards, or $250 from Outback may be real and click on those "deals," Judge said. People get excited by these offers and don't stop to think about why that brand is offering them something for free, Judge said. And scammers get paid for every click.

Barracuda has built a tool capable of crawling Facebook user pages to identify fake profiles, Judge said. There is also a plug-in in the works so that users can preview Friend requests before accepting. The ProfileProtector tool is available for both Facebook and Twitter users.

How can the typical Facebook user tell whether that friend request is coming from a breathing human or if it is a fake profile? There are certain red flags. Apparently 58 percent of fake Facebook accounts say they are "interested in" both men and women, while those accounts make up only 6 percent of the real accounts, according to data collected by Barracuda. Phony profiles also tend to have a large number of friends, averaging 726 Facebook friends, when real users generally have about 130. Nearly 70 percent of the fakes claim a college education when in actuality, 40 percent of legitimate users on Facebook have.

Fake friends rarely update beyond uploading photos, which they go crazy tagging. Fake profiles on average tag 30 people per photo uploaded, which is a dramatic contrast to one tag per every four photos uploaded by real users. Nearly half, or 43 percent, have never updated their Facebook statuses, while only 15 percent of real Facebook users can claim the same. They also tend to list little to no interests, and if they do, they are often close together alphabetically, like three musical groups starting with the letter 'A,' Judge said.

Interestingly, fake profiles are often clustered near metropolitan cities, such as New York City and Los Angeles. According to a heat map provided by Judge, there is a bit of a tendency for the fake profiles to be located on the East Coast.

Despite the fact that a majority of the profiles are women, it is too early to tell whether the attackers are specifically targeting men, Judge said. Recent studies have shown that men are more likely to accept friend requests from women they don't know, than women accepting requests from men they don't know.