Back in a more innocent age, a Facebook friend bore at least some resemblance to an actual friend: They were real people with real identities with whom one had some connection in real life. But the online "friends" who populate Facebook are increasingly not who they say they are. Indeed, some are not even real human beings, but merely malevolent online creations.
Facebook has distinguished itself from competing social networks by requiring that members use their actual identities, a stipulation that has created both an aura of intense connection and a sense of safety, helping Facebook to grow into a $50-billion behemoth with 550 million members. Breaking from a tendency toward anonymity in online interactions, Facebook made a visionary choice to engage real people who have offered up the intimate details of their lives. The site's policies specifically prohibit "impersonating anyone or anything" and mandate usernames with "a clear connection to one's identity."
The rule has not always been strictly enforced -- there have always been a number of accounts belonging to pets, babies, even stuffed animals. But this founding principle now seems increasingly at risk, and with it, Facebook's attempts to encourage greater sharing, woo ad dollars and remain the primary destination for socializing on the Internet. In recent months, Facebook users have reported inboxes flooded with a growing volume of spam friend requests from unknown individuals with unlikely names, stock photos and sparse profiles: ghost accounts that belong to computers, not people.
The extent of the problem is difficult to quantify, even for Facebook. Yet this apparent uptick in spam -- which has been a problem since inception -- suggests a potentially-growing fraction of the site's members have sham identities that are being used to extract personal information from legitimate users, say social media experts.
In addition to being a nuisance and possible security threat, these fake accounts undermine the values that have helped Facebook to become the world's most popular social network. "It makes it very hard to trust people on Facebook because anyone can create a fake account," said Graham Cluley, a senior technology consultant at Sophos, a security firm. "These days the only way tell if a Facebook friend request came from someone you actually know is to ring them up and say, 'Hey, did you send me a Facebook friend request?'" The problem is a particularly thorny one for Facebook as the company attempts to encourage its users to share more liberally with one another and with the web at large. Why return regularly to a site regularly peppered with scams, spurious deals, or even viruses? Posting photos, updates and real-time data on one's whereabouts becomes far less appealing when the information runs the risk of being used by hackers.
So just who are the puppeteers controlling these proliferating fake Facebook friends? And can they be stopped?
Next: Who's Friending? [NOTE: Have you had problems arising from accepting friend requests from fake or unknown accounts? Let us know: email firstname.lastname@example.org.]
WHO'S FRIENDING? Bypassing the protections Facebook has in place to defend against bots can be an elementary affair. That unknown trim blonde with an interest in wine and Jack Kerouac may be nothing more than an attractive front for a bit of script that automates Facebook friend requests by instructing a computer to search for all users with a certain characteristic -- the name "Katie," for example -- then directs it to connect with everyone who turns up in the search results. Though the access varies depending on each individual's privacy settings, once a spammer has become "friends" with other users, he can then tag them in photos, post messages to their walls, chat with them, send status updates to their news feeds and connect with their friends. In this fashion, the fake friends insinuate themselves into the social networks of all of the people they reach, with each new friend reinforcing the appearance that the relationships are real and making it easier to add even more friends.
Each interaction presents the opportunity to advertise suspicious websites hoping to extract sensitive information. The more friends the fake friend acquires, the more easily they can be used as a conduit for bogus or even predatory come-ons: The links gain legitimacy as they appear to come from a friend. "If you have control over thousands and thousands of social networking accounts, you can get an awful lot of people to click on links," Cluley said. Via Facebook's social engagement tools, spammers are able to execute what Cluley described as a "cocktail of attacks," perhaps directing users to fraudulent antivirus software capable of enabling a hacker to remotely control a computer; perhaps sending them to surveys from which they can earn a commission.
Facebook users can also find themselves directed to bogus online retailers hoping to pick up credit card details. Inadvertently befriending a fake account also unlocks access to personal tidbits that may seem innocuous but amount to a treasure trove for hackers seeking access to personal Web sites like bank accounts. They frequently hint at passwords and usernames, as well as the answers to common security questions. According to security experts, these nefarious friends are overseen by a diffuse, elusive network of individuals located all over the world. "Very often, these are executed by loose networks of folks who specialize in their particular niche and collaborate to attack, then make money off of the account," said Jules Polonetsky, director of the Future of Privacy Forum. "They know each other from spammer IRC [Internet relay chat] channels where they brag about exploits and alliances. It is not a particular giant spam company." The unknown friends may also be covers for real people, such as law-enforcement agents on the lookout for incriminating information.
In a memo penned in 2008, the Department of Homeland Security's U.S. Citizenship and Immigration Services described the goldmine of personal information to be found on online social networks and instructed agents how to take advantage of people's "narcissistic tendencies" to sniff out fraud.
"Many of these people accept cyber-friends that they don't even know," the memo said. "This provides an excellent vantage point for [the Office of Fraud Detection and National Security] to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities."
Next: Baring All
BARING ALL Facebook has not stood idly by during this assault on its users. In an effort to reduce spam, it has created systems designed to flag suspicious activity, even temporarily blocking users that send a high volume of messages or have had numerous friend requests denied.
Facebook says these measures have netted real results, cutting spam by 95 percent in 2010, according to the company's chief technology officer, Bret Taylor. At the same time however, numerous users have complained on Twitter, Quora and even Facebook itself that they have experienced an uptick in friend requests from fake accounts in the past few months.
Though Facebook would not confirm whether the number of profiles belonging to spammers had increased recently, Simon Axten, a member of the social network's public-policy group, said, "There are always fluctuations as people respond to the defenses we've built." The reported rise in dubious profiles may be an inevitable product of Facebook's growing popularity. People with ill intent tend to go where the masses reside. But it also appears to reflect the pitfalls of vanity and the human craving for affirmation: Facebook's members regularly fall prey to scammers who understand how to appeal to their egos and their romantic proclivities. Time and again, say security experts, Facebook users cast aside the needed skepticism in favor of gaining connection with another seeming admirer. Having thousands of friends is a status symbol on social networks, prompting many to agree to connect with unfamiliar individuals in an attempt to boost their numbers. Scammers regularly adopt the guise of women, assuming that men will be more likely to become "more open and connected" -- to borrow Facebook's own motto -- with a pretty girl. "The problem is, however much things like Windows and Mac OS X get better, we can't upgrade people's brains," Cluley, the technology consultant, said. "They'll click on things and say 'That looks good.' Like cavemen in front of this incredible piece of technology, they have trigger-happy mouse fingers." Some suggest that the migration of users from MySpace, which provides greater anonymity, to Facebook, with its rules, walls and real identities, has altered the network's norms, bringing more liberal behavior that contributes to spam. "They are bringing some of the behavior they had on MySpace, which was a free-for-all," said Tameka Kee, an analyst with SocialTimes Pro. "They'll friend everyone on Facebook." Yet even the most cautious users can fall victim to spammers, as it can be nearly impossible to distinguish fake profiles from real. Racy or overly-polished photos can be a tipoff that the "friend" is a fraud, as can a bare Facebook profile with very few other connections. But just as often, a scammer will include interests, activities, hometown, an alma mater and even a nickname, making it a matter of guesswork to determine whether it is a bad bot or an elementary school classmate attempting to reconnect. These dishonest accounts are not merely targeting the technologically-challenged or the unsavvy: The chief executive of an online startup, a social media consultant and a recent college graduate all admit to having accidentally befriended spammers on Facebook. They said they only realized their mistake once they started seeing messages that seemed like obvious spam, with links to sites promising to explain how "I lost 9 lbs in 14 days" or where to sign up to "become an iPhone tester!!!"
A 2009 study conducted by Sophos Security discovered that 46 percent of randomly-selected Facebook users accepted a friend request from a fake account belonging to a rubber duck by the name of "Daisy Feletin." "It's happened to everyone I know that is credible and making a living doing social media," said Lori Randall Stradtman, the founder of Social Media Design.
Next: Make It Stop
MAKE IT STOP It is unlikely that spammers will be the downfall of the world's most popular social network -- email services have, after all, successfully learned to cope with a deluge of such attacks. That said, as its membership ranks grow, increasing the value of penetrating the network, Facebook will certainly have its work cut out for it. The network is grappling with the troublesome task of distinguishing human behavior from that of bots, which is increasingly difficult given sophisticated new methods for eluding CAPTCHA tests, previously the gold standard for telling computers and people apart.
Already, the site is experimenting with a new security feature, "social authentication," designed to do precisely this. If Facebook suspects nonhuman activity, it will require a user to identify photos of their friends in order to unlock the account, a task that would presumably be impossible for a bot. Even as it refines its anti-spam systems, however, the site faces the even more delicate task of educating users about the risks. It must encourage caution without sowing fear, at the very time that it works to convince people to offer up even more details of their lives, which can be monetized. In essence, Facebook must educate its users to adopt a skepticism with the familiar overtones of a "safe sex" campaign: Members must scrutinize not only the people extending the offer of friendship, but also consider the merits of all the friends those prospective friends bring alone. With the speed and invisibility of a virus, spammers can easily connect with and infect others once they are accepted as Facebook friends. In this case, "going viral" is not something to celebrate. In an online forum, the friend of a Facebook spam victim lamented how and why his acquaintance had made himself vulnerable to a fake friend: he was told, "I just befriended her 'cause the other guys we know did." The problem is further compounded by privacy settings that can unlock hundreds of profiles when even a single user clicks "accept." Even if a user has not personally connected with a fraudulent account, any of her profile information could be visible to the spammer -- now the "friend of a friend" -- once accepted to another Facebook friend's inner circle of online acquaintances. In the end, the fake friendship epidemic may mark the beginning of a new, more cautious phase in the history of social networking. "Get a dictionary and look up the word 'friend,'" Cluley said. "If you don't know them and wouldn't have them around for dinner in your house, I'd propose you don't make them a Facebook friend."