It’s possible that your friend unknowingly pasted a malicious script into their address bar. Instead of showing you what it advertises (ex: who viewed your profile/timeline), these scripts create events and pages from your account or send your friends spammy links.
Tell your friend to close their internet window or log out of Facebook to end the attack and secure their account.
If your friend did not paste text into their browser, it's possible that malicious software was downloaded to their computer or that their login information was phished. Tell your friend to visit the Phishing and malware section of our Help Center to secure his or her account.