New Facebook Scam Fools Users Into Hacking Their Own Accounts

A new Facebook scam promising users the ability to hack anyone’s account is only a guide towards hacking your own account.

facebook scam

Photo: Sukharevskyy Dmytro

The scam lures users by providing a guaranteed access to anyone’s account in three easy steps. But following the steps make users hack their own page, via a method termed as Self-XXS, which makes anyone who attempts the guide vulnerable to new scam and phishing campaigns.

The scam pops up as a Facebook post on your Timeline or an email from a friend of a victim, promising to ‘hack any account following three steps’. It then asks you to open up your Facebook in a new browser and head over to the Facebook page of the individual you want to hack. Then right-clicking anywhere on the page brings up a pop-up menu where you are asked to select ‘Inspect Element’. This presents an HTML editor at the bottom of the web browser.

In the HTML editor, the scam guides readers to copy-paste a string of code. However, the code doesn’t fulfill its promise; but grants scammers access to your account.

Security spearheads Symantec revealed the following pertaining to the scam in a blog post:

“What really happens when you paste this code into your browser console window is that a series of actions are performed using your Facebook account without your knowledge.”

“Behind the scenes, your account is used to follow lists and users, and give likes to pages in order to inflate the follower and like counts defined by the scammers.”

The instructions also detail that the code will take approximately two hours to take effect, belying the suspicion when nothing works to reveal the passwords of friends. But behind the scenes, the code is using the would-be hacking account, including liking pages and following specific users. No doubt scammers are paid to inflate likes and follower counts of pages and Facebook users artificially.

This type of hack is labelled ‘XSS’ or cross-site scripting, as it compromises a web-page by injecting a string of code that makes the site vulnerable, but it is a browser-based vulnerability, not Facebook’s headache.

Once the scammers have access to the account, they can use it to post more fake guidelines, and even engage in cyber scams. They could also access the email or password, which makes the other accounts of the victim vulnerable as well. Users who have same credentials to other accounts as Facebook are recommended to change passwords immediately.

The code also tries to attract new targets through social engineering techniques on Facebook.

“Your account is also used to tag the names of all your friends in the comment section of the original post. This is done to help the scam spread further, playing off the curiosity of your friends, who may visit the post to find out more and hopefully follow the instructions as well,” explains Symantec.

Though Facebook has added Self-XSS to its security threat list, along with a warning to users stating not to paste any suspicious codes into browsers, the social giant hasn’t made any announcements to patch the code that is the basis of this attack.

“There is a popular scam going around that claims the user will gain some benefit (illicit access to someone else’s account, some new Facebook feature, etc) by pasting some piece of JavaScript into the browser’s console,” says Facebook on the JavaScript console warning page.

“The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things. To avoid this, the console is now gently disabled in some browsers.”

Here’s an excerpt of what the scam looks like:

Hack any Facebook account following these steps:

1. Go to the victim’s profile
2. Click right click then click on inspect element and click the “Console” tab.
3. Paste the code into the box at the bottom and press Enter.

The code is in the web site: http://textuploader .com****/
Good luck: *
Don’t hurt anybody…

The hackers want you to follow instructions by copying and pasting the malicious code, for taking control over a friend’s account. The trick, scammers claim, is applicable for both Mozilla Firefox and Google Chrome users.

The scam is not new, and was first seen on the network in 2011. The new reported scam is the variant of the one that was seen at the start of the year, modified from the initial code that saw success with 50,000 to 100,000 Facebook users falling victim.

If you see this spam message, flag it by clicking the upper-right corner of the feed post (as you can do with any post) and select ‘this is spam’. You should also track the artificial likes and following through your activity log and contact Facebook if you have been affected.