Normally, 419 scams are easy to spot and involve email requests for money from supposedly rich individuals in countries such as Nigeria, from which the fraud gets its name. The latest Facebook attack is much craftier, however, because it hijacks the identities of real people known to Facebook members, asking for money under an apparently plausible guise.
According to reports, one Google Australian employee was contacted using Facebook by a person known to her, asking for $500 to allow him to return home from Lagos, Nigeria, where he claimed to be stranded.
She became suspicious that the contact was bogus only after noting subtle irregularities in the fraudster's use of Australian English.
"After chatting further, words such as 'cell' instead of 'mobile phone' tipped Wells off that she was not talking to her friend but someone who had taken over his account," the report said.
"Many Facebook users don't even know how many friends they have on the site, let alone what they are all doing and where they are, and this is providing the scammers with a new vector of attack," said Graham Cluley of Sophos, the company that unearthed this particular scam.
"Unfortunately this is just the latest skirmish in an ongoing battle taking place between Facebook users and cybercriminals intent on exploiting the site and its members for their own financial gain."
Social networking's insecurities are many-headed. Emails from domains such as Facebook are more likely to reach an individual's inbox because they come from trusted domains; hijacking such domains to create fake email accounts been one of the year's growing problems on webmail systems such as Google, Hotmail and Yahoo.
As it is, Facebook users have a reputation for giving up personal information too easily, while such sites have also been under attack from a range of information-farming direct exploits.
A secondary problem is that social networking offers scammers the ultimate prize of being able to hijack the identity of a trusted person to execute fraud. The Facebook 419 scam is an example of this, using plausibility and a demand for a modest amount of money to overcome suspicion. If social networking systems become infected by such trust-based fraud to any degree they will likely become unviable in their current form.
"Unless people take more care when securing their computers and personal data, there's no doubt that we'll see more electronic conmen using stolen Facebook identities to steal money from the innocent by posing as their online buddies," said Cluley.