14 DAY TRIAL // Under the pretext of providing a method to hack into any Facebook account, cybercriminals incite unsuspecting users into pasting malicious code into their web browser.
This scam is relied on social engineering, because all the scammer has to do is convince the user to follow a short list of steps that ends with pasting a specific code string into the JavaScript Console accessible in the web browser.
However, all the wannabe hacker ends up with is compromising their own account, giving the crook the possibility to use it to launch future malicious campaigns or to spread current ones.
The message from the cybercroosks can come via email or as a Facebook post from one of the friends in the list of the potential victim. The instructions for taking over someone else’s account are suitable for both Google Chrome and Mozilla Firefox users.
In a sample text provided by Facebook, the scammer describes the entire procedure as a three-step operation that begins with navigating to the Facebook profile that is to be compromised.
Next, from the context menu (right click) of the page, the “Inspect element” needs to be selected, and then the Console tab. Following these steps leads to the exact same result in both Firefox and Chrome.
The last stage of the hack consists of pasting the code provided by the crook and running it by hitting the Enter key.
By having access to a Facebook account, the cybercriminals are free to use it as they see fit; but spreading all sorts of malicious campaigns is the main purpose. These can end with compromising other profiles or with deceiving the victim into completing surveys or downloading potentially unwanted software, both activities putting money into their pockets.
Infecting computers with malware that can collect banking details and send them to a remote location controlled by the attackers can also be carried out via this type of malicious activity.
Facebook has added the scam on the list of threats its users have been observed to fall victim to. “Self-XSS, or a cross-site scripting scam, is designed to trick you into giving away access to your Facebook account. If a scammer gets access to your account, they can post and comment on things on your behalf,” reads their post.
Users of the social network are strongly advised not to copy and paste suspicious links in order to avoid the risk of cross-site scripting.