Photo tagged as a Facebook bunnygirl? Beware viral scam

Filed Under: Facebook, Privacy, Rogue applications, Social networks, Spam

Facebook bunnygirlFacebook users, both male and female, are finding that they have been tagged in a photo of a young woman dressed as a bunnygirl.

But this isn't an early homage to the Easter Bunny, this is an attempt to get unsuspecting Facebook users to click on a scam link offering to reveal who has been stalking them on the social network.

And in a change from their normal tactics, scammers are exploiting Facebook's loosely-controlled photo tagging capability to get their messages in front of as many people as possible.

Your first encounter with this scam is likely to be when you log into Facebook one morning, and discover that one of your friends appears to have tagged you in a photograph. Imagine your surprise when you discover it's not you at all, but a photograph of a woman dressed as a Playboy bunnygirl waitress.

Furthermore, you may see that your Facebook friend has also tagged other contacts of theirs as being the bunnygirl as well.

Facebook bunnygirl photo album

There clearly aren't that many people in that photo. After all, where would she hide them all in that skimpy outfit?

No. Instead, the truth is that whoever was responsible for posting the image wants you to click on a link.

A link which typically reads:

wow this works >> [LINK] << now you can see who your top facebook profile stalkers are!

Regular readers of Naked Security will already be smelling a rat, but no doubt some Facebook users would be curious enough to venture further into the trap.

And if you do make the mistake of clicking on the link (, by the way has closed down the links that Sophos has seen being used so far, but the scammers are now using other urls which don't rely on the url-shortening service) then they will be taken to a webpage like this:

Who are your top stalkers?

Now, many Facebook users are extremely eager to discover who has been checking out their Facebook profile and will think nothing of approving the third-party application that they are presented with:

Rogue Facebook application

Of course, this is a big mistake. The rogue application can now access your Facebook profile, and post messages in your name and even create photo albums of bunnygirls, tagged with the names of your Facebook friends. And in this way the scam spreads virally across the social network.

Bunnygirl photo update on compromised Facebook account

They don't even apologise for never revealing who your top Facebook profile stalkers are. Scammers, you just can't trust them..

If you've been hit by a scam like this, revoke the rogue application's access rights and delete the offending photo album.

Unfortunately, for reasons best known to itself, Facebook doesn't allow you to stop people (and applications) from tagging photos with your name in the first place.

This feels to me like a basic privacy option that is essential for Facebook, but there's no sign that they're going to add it anytime soon. In fact, they're introducing a technology which will automatically tag photographs using facial recognition software. Yuck.

You can learn more about how to best configure Facebook's settings to protect your privacy in our online guide.

If you don't want to get caught out again, or simply want to learn more about security threats on the social network and elsewhere on the internet, I would strongly recommend you join the Sophos Facebook page where we provide early warnings about such attacks.

Hat tip: Thanks to Naked Security reader Darren who sent us a tip about this scam, bringing it to our attention.

, , , , ,

You might like

3 Responses to Photo tagged as a Facebook bunnygirl? Beware viral scam

  1. julia · 1646 days ago

    Correct if I m wrong but I think that a scam with a big list of account names can tag the names (since they don't change) again and again. If the victim removes the tag from one picture then the scam can easily tag the name in a new picture.

  2. WippyM · 1558 days ago

    Never mind the scam; did most people just ignore the girl in the bunny outfit?

  3. feltores · 1089 days ago

    with that silly description and unrelated photo, most users should know that something is dodgy here.
    But FB is quite strict on applications and I thought after a few reports it will limit the apps' permission and eventually completly ban them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley