14 DAY TRIAL // There are many individuals who would give anything for a tool that allows them to hack into their friends’ Facebook accounts. Scammers are well aware of this, which is why they often trick internauts into performing certain actions by promising them such hacking tools.
Symantec’s Satnam Narang has published a blog post to describe such a scheme. A group of Indian cybercrooks have been trying to trick users into handing over access to their accounts by promising them a Facebook hack tool that’s allegedly designed for educational purposes.
Posts published on the social media platform instruct victims to copy a piece of code, paste it into their web browser’s JavaScript console and execute it. Users are told that they must wait for up to two hours before they’re mailed the password they want.
However, no one gets any passwords. The tool works, but it actually hacks the Facebook account of the individual who’s using it. By executing the code provided by the cybercriminals, users are unwittingly handing over access to their accounts.
The code is designed to like various pages and follow lists on behalf of the user. In addition, comments in which the victim’s friends are tagged are published to the initial post advertising the Facebook hacking tool.
This way, the scammers attract the attention of more members of the social network.
This type of attack is called self-XSS and it has been around since 2011. Facebook is aware of such schemes. The company has even disabled the JavaScript console to protect users against such scams.
“By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people's walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things,” Facebook noted.
In order to execute code in the JavaScript console when on Facebook, users must turn on a certain setting.
Experts report that the scammers are based in India. They’ve been publicly discussing their operation, naming it “ethical hacking.”
Users who have fallen victim to this or similar scams, must review their activity log to find out which pages have been liked on their behalf. They must remove all comments and posts published by the hackers. It’s also recommended that victims warn their friends to make sure they don’t take the bait.