Self XSS scams are designed to make you compromise your own Facebook account. Such a compromise could allow somebody else to see your posts and post content as you. Ironically, the most common lure for these scams is the promise to compromise somebody elses account. Regardless of how they convince you to do it, the scammers goal is to get you to run their malicious code on your computer. When you run their code, you inadvertently grant the scammer access to your account for fraud, spam, and above all, tricking more people into running the scam. Heres an example of a Self XSS scam and how you could be targeted. A victim—usually a friend whose account has been compromised—tags you in a post claiming you can “hack any Facebook account.” They want you to follow the instructions to copy and paste the malicious code: Note the promise to be able to hack another account by copying and pasting the attackers code into the the browser console. The console referenced in all of these attacks is the JavaScript console. JavaScript is a programming language used on almost every web site on the Internet today. The console is intended to let developers test new features, debug existing features, and modify the content of pages in real-time. Although a powerful and legitimate tool for web developers, most people will probably never need to use their browsers console. The most common method of getting to the console is instructing the victim to inspect an element on a web page. You can inspect any element on a web page and learn about where it came from, what resources its using, and even modify the element. From the inspection window, theres a tab for the JavaScript console. Heres what the console looks like in a modern web browser. Note the tab named Console near the top of the image: There are other ways a scammer could trick you into going to the JavaScript console, such as pressing a function key or using a combination of keystrokes. These are unusual actions, so the attackers create tempting promises to try to convince people to do the work for them. Spotting these scams and reporting them are the best way to protect yourself, but if you fall victim to one of these attacks, dont panic! We can help you get your account secured again. The best starting place for securing your account is our help page for Self XSS attacks: https://facebook /help/543344735779134/. From there you can learn more about protecting your account, report your own account if theres an issue, or report a friends account that is behaving suspiciously. You can report a post using the small triangle tab in the upper right hand side of each post, and then selecting “Report/Mark as spam” from the drop-down menu. Lets stamp out scams together! Jesse Kornblum is a Security Engineer at Facebook.
Posted on: Fri, 20 Jun 2014 12:24:42 +0000
Recently Viewed Topics
© 2015