A recent Facebook scam promises just that.
Hack Any Friend’s Facebook Scam
False promises on Facebook: it’s a recurring theme adopted by spammers. This time, it’s a Facebook post that begins as follows:
UPDATE LINK FOR FACEBOOK HACKING
F.A.C.B.O.O.K —-H.A.C.K.I.N.G(ONLY FOR EDUCATION PURPOSES)
The content of the post includes a link to a Google document and written instructions on how to hack your friend’s Facebook account, as well as an instructional video. The instructions tell you to go to the Google document, copy its contents, paste those contents into your web browser’s console (found by hitting F12), hit enter, and wait 2 hours for the hack to kick in.
Users who follow these instructions will in reality hack their OWN account.
Self Cross-Site Scripting Hack
Rather than a magical code to hack your friend’s Facebook account, the contents of the Google Doc are actually a malicious JavaScript code that hijacks your account for spamming. While you sit and wait the prescribed 2 hours for the hack to kick in, your Facebook account is used to generate Likes on pages owned by the attackers. Furthermore, the code tells your account to tag all of your friends in its original post so that they can be lured to it too.
The copy-paste technique used in this scam is called Self Cross-Site Scripting, or Self XSS. Self XSS is about as simple as it gets: Attackers generate malicious code and then try to convince their victims to paste that code into their web console and execute it. This type of attack hinges on social engineering – like dangling the promise of being able to hack any friend’s account – and it has actually been around for quite some time. Reports indicate that this latest campaign has been active since early 2014 and that it has already generated as many as 100,000 fraudulent Likes.
Such success has indeed been noticed by Facebook and prompted the social media giant to issue a warning regarding this type of attack, which includes the option to enable or disable the web console while on Facebook: https://www.facebook.com/selfxss.
The warning jests at enabling the web console by stating “Allow my account to be hijacked if I paste malicious JavaScript” next to the setting’s check box. More importantly, the warning also points out that a Self XSS can be used to do much worse than generate Like spam. Beyond Facebook accounts, Self XSS hacks are used to execute a wide variety of malware, to commit all types of cybercrime.
Protect Yourself (from Yourself) with Surf Protection Technology
If you think you have fallen victim to the Hack Your Friend’s Facebook scam, you should review your Facebook activity log to see if your account has been used to generate fraudulent Likes: https://www.facebook.com/help/www/289066827791446. If it has, you can always Unlike them.
It’s also good practice to exercise caution when encountering any Internet offer dangling a virtual carrot just out of reach. Scams like these happen almost every single day, and are most often initiated through large social media networks where they can achieve the most exposure.
If you’d rather not have to worry about things every time you log on to your favorite social site to view pictures of your family and friends, we’d also suggest utilizing Emsisoft Anti-Malware’s Surf Protection Technology. It’s designed to prevent you from visiting malicious websites that contain copy-paste code used in Self XSS attacks. That way, you can protect yourself from yourself (and from malware too).
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a Great (Malware-Free) Day!