A video post making the rounds on Facebook shows how to hack the highly popular social media website in order to gain access to accounts and other features – but really it is a scam that only results in users hacking their own accounts.
Last week, researchers with Symantec discovered the scam impacting users in India, according to a Wednesday blog post, which explains that the operators are using a variation of a trick known as self cross-site scripting, or self-XSS, that dates back to 2011.
It is a fairly simple strategy.
The video post links to code stored on Google Drive and states that, by pasting the code into the browser console window, the Facebook hack will be successful within a couple of hours, Satnam Narang, a researcher with Symantec Security Response, wrote in the blog.
What actually ends up happening is that the victim's Facebook account begins following and "liking" posts by the scammers, according to the blog, which adds that accounts also tag their friends in a comment on the original video post, in order to spread the scam.
“The code impacts any Facebook user around the world,” Narang told SCMagazine.com in a Thursday email correspondence, noting users in the U.S. may have been affected. “It just so happens that this particular campaign was launched in India. The code is geo-location agnostic.”
The code, which contains hints that the authors may have been Turkish, is fairly lengthy and complex, Narang said, but he explained that what it essentially does is utilize commands and requests made to Facebook in order to perform the specific actions, such as subscribing to a profile.
“This particular scam is specific to Facebook and cannot be used on other social media websites and services,” Narang said. “The goal here, for these scammers, is to inflate the 'likes' and follower counts for their company [and] brand pages and their own profiles [on Facebook]."
Narang added that Facebook disabled consoles in some browsers and gives users a choice to turn it back on.