Late last week, Facebook users in India were tricked by scammers who were claiming to offer a tool that could hack Facebook in order to obtain passwords belonging to the users’ friends. Unfortunately for these users, they actually ended up hacking their own accounts for the scammers and exposed their friends in the process.
Figure 1. Scam promoting how to hack your Facebook friends
Want to hack your friends?
A post began circulating on Facebook from a particular page featuring a video with instructions on “Facebook Hacking” with a disclaimer stating that it was for education purposes only. The post links to a document hosted on Google Drive that contains some code that, according to the scam, will allow users to reveal their friends’ Facebook passwords. The instructions attempt to convince the user to paste the code into their browser console window and asks them to wait two hours before the hack will supposedly work.
You just hacked yourself
Figure 2. Facebook account hijacked to follow and like various pages
What really happens when you paste this code into your browser console window is that a series of actions are performed using your Facebook account without your knowledge. Behind the scenes, your account is used to follow lists and users, and give likes to pages in order to inflate the follower and like counts defined by the scammers.
Figure 3. What does the Fox say? I have over 56,000 likes!
Your account is also used to tag the names of all your friends in the comment section of the original post. This is done to help the scam spread further, playing off the curiosity of your friends, who may visit the post to find out more and hopefully follow the instructions as well.
Figure 4. User’s compromised account tags friends in the original scam post
What is this type of scam called?
This scam is a variation of a method known as self-XSS (self cross-site scripting), where a user is tricked into copying and pasting code into their browser’s console that will perform various actions on their behalf.
Facebook is trying to discourage users from unwittingly causing harm to their accounts through this method. Some users that attempt to paste code may receive a warning from within their browser’s developer console that points to the following link:
Is this type of scam new?
This type of scam originally began circulating back in 2011. This current iteration has been around since at least the beginning of 2014.
The original scammers behind this iteration had great success with the scam at the beginning of this year, netting between 50,000 to 100,000 likes and followers on a number of pages and profiles. Some of the variable names in the code (mesaj and arkadaslar) suggest the authors are of Turkish descent.
Why is this affecting users in India?
For this campaign, the individuals responsible are based in India. They have modified the original authors’ code by simply adding their own pages and profiles into the script to increase their follower and like counts.
What to do if you have fallen for this scam
If your account has liked and followed a number of pages and profiles without your consent, you should review your activity log. From your activity log, you can locate, unlike and unfollow the pages and profiles associated with this scam. You should also consider posting a status update notifying your friends about the scam to make sure they don’t fall for the same trick.
The opposite of ethical hacking
Figure 5. Scammers label their efforts as “ethical hacking”
While investigating this scam, we found that the individuals behind it were publicly discussing their efforts. Speaking in Punjabi, one of the individuals summed it up by saying, “Now this is the way ethical hacking is happening.” However, these efforts couldn’t be further from the concept of ethical hacking.
A lesson learned
Always remember that if it sounds too good to be true, it is. Being able to hack someone’s Facebook password by just pasting some code into your browser sounds way too easy and should signal that this is a scam. At the end of the day, your account would be impacted and the safety of your account could be at risk. It’s best to err on the side of caution and think twice before following instructions that ask you to paste code into your browser to hack passwords or unlock features on a website.