14 DAY TRIAL // If you come across an announcement from the “Facebook Chat Team,” you should know that it’s part of a scam designed to trick users into giving spammers access to their accounts.
“All Chat Box must be verified before 24th May 2014 to avoid Chat Blocking under SOPA and PIPA Act. The unverified Chat will be terminated,” the scammy announcements read.
According to Trend Micro, users who click on the links are taken to a Pastebin post that contains instructions on how to allegedly “verify the chat.” Victims are provided with pieces of code which they’re told to paste in their web browser’s JavaScript console.
Once the code is executed, the scammers gain access to the victim’s account. While their actions are limited, they can re-post the scam on the hijacked timeline, tag other users, and subscribe the victim to certain pages.
“From the get-go, users should know that there is no product called ‘Facebook Chat,’ let alone a team that sends out a supposed ‘advisory’ to its users,” Trend Micro experts warn.
Facebook is aware of these types of scams and the social media platform has taken steps to block them.
“There is a popular scam going around that claims the user will gain some benefit (illicit access to someone else's account, some new Facebook feature, etc) by pasting some piece of JavaScript into the browser's console,” Facebook explained on a page about self-XSS attacks and the way the JavaScript console works on the website.
“This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people's walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things,” the company added.
“To avoid this, the console is now gently disabled in some browsers. If you want to use the console, turn the following setting on; you'll need to reload the page for it to take effect.”
Users who fall victim to such attacks should check their timelines and remove all the posts published on their behalf. It might also be wise to check the Activity Log to see what other actions have been performed without their knowledge.
In general, if you want to avoid falling victim to such scams, don’t trust any posts claiming that your account or certain features will be deactivated unless you perform some actions.