Photo tagged as a Facebook bunnygirl? Beware viral scam

Facebook bunnygirlFacebook users, both male and female, are finding that they have been tagged in a photo of a young woman dressed as a bunnygirl.

But this isn’t an early homage to the Easter Bunny, this is an attempt to get unsuspecting Facebook users to click on a scam link offering to reveal who has been stalking them on the social network.

And in a change from their normal tactics, scammers are exploiting Facebook’s loosely-controlled photo tagging capability to get their messages in front of as many people as possible.

Your first encounter with this scam is likely to be when you log into Facebook one morning, and discover that one of your friends appears to have tagged you in a photograph. Imagine your surprise when you discover it’s not you at all, but a photograph of a woman dressed as a Playboy bunnygirl waitress.

Sign up to our free newsletter.
Security news, advice, and tips.

Furthermore, you may see that your Facebook friend has also tagged other contacts of theirs as being the bunnygirl as well.

Facebook bunnygirl photo album

There clearly aren’t that many people in that photo. After all, where would she hide them all in that skimpy outfit?

No. Instead, the truth is that whoever was responsible for posting the image wants you to click on a link.

A link which typically reads:

wow this works >> [LINK] << now you can see who your top facebook profile stalkers are!

Regular readers of Naked Security will already be smelling a rat, but no doubt some Facebook users would be curious enough to venture further into the trap.

And if you do make the mistake of clicking on the link (bit.ly, by the way has closed down the links that Sophos has seen being used so far, but the scammers are now using other urls which don’t rely on the url-shortening service) then they will be taken to a webpage like this:

Who are your top stalkers?

Now, many Facebook users are extremely eager to discover who has been checking out their Facebook profile and will think nothing of approving the third-party application that they are presented with:

Rogue Facebook application

Of course, this is a big mistake. The rogue application can now access your Facebook profile, and post messages in your name and even create photo albums of bunnygirls, tagged with the names of your Facebook friends. And in this way the scam spreads virally across the social network.

Bunnygirl photo update on compromised Facebook account

They don’t even apologise for never revealing who your top Facebook profile stalkers are. Scammers, you just can’t trust them..

If you’ve been hit by a scam like this, revoke the rogue application’s access rights and delete the offending photo album.

Unfortunately, for reasons best known to itself, Facebook doesn’t allow you to stop people (and applications) from tagging photos with your name in the first place.

This feels to me like a basic privacy option that is essential for Facebook, but there’s no sign that they’re going to add it anytime soon. In fact, they’re introducing a technology which will automatically tag photographs using facial recognition software. Yuck.

You can learn more about how to best configure Facebook’s settings to protect your privacy in our online guide.

If you don’t want to get caught out again, or simply want to learn more about security threats on the social network and elsewhere on the internet, I would strongly recommend you join the Sophos Facebook page where we provide early warnings about such attacks.

Hat tip: Thanks to reader Darren who sent us a tip about this scam, bringing it to our attention.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.