It has come to our attention recently that a website is giving out instructions on how to use a low tech social engineering trick to view private Facebook profiles. To view the instructions, a third-party application must be first downloaded and installed. While this application is not malware, it may impact computer performance. The instructions then describe how to view private Facebook profiles, with the result being that a Facebook user may receive a friend request from a person that is already on their friend list.
The social engineering trick lies in the fact that the friend request is not from the “friend” that it purports to be from. The friend request may also come with a personal message; the instructions also suggest a message, “Hey, I can’t login to the previous account. add [sic] me back in.” Since the friend request received both via email and Facebook looks legitimate (because it is legitimate; that is, the mechanics of the friend request are legitimate—only the person masquerading as the user’s friend is suspicious) it would be easy to fall for this fake friend request and add this person to one’s friend list. Part of the problem here is how Facebook handles friend requests, because you can’t confirm that the person is who he/she pretends to be.
We suggest that if anyone with a Facebook account receives a friend request from someone already on their list they should contact that friend directly, confirming that they did indeed send a friend request. Similarly with most social engineering attempts, one way to avoid being fooled is to verify the legitimacy.
This advice can be applied in general to any unsolicited requests or communications that may arouse your suspicions. Try to verify that the sender is who they say they are before clicking on that link, installing that software, or taking whatever action may turn out to be trouble. If in doubt, say no. You may save yourself a world of pain.
A big thanks to my colleagues Irfan Asrar and Shunichi Imano for research and analysis of this issue.