Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”.
The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.
Figure 1. Facebook Chat verification notification
The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).
Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example). After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users.
Figure 2. Console where the Javascript code is supposed to be entered
From the get-go, users should know that there is no product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site.
Facebook has taken action against threats like this by releasing an official announcement. The official Facebook warning notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.”
In 2013, a mobile phishing page disguised as a legitimate Facebook mobile page has been used to victimize users by stealing their credit card details. In the same year, the Facebook Security Check page has been spoofed by phishers leading to a number of stolen account credentials.
Protecting your online accounts from different threats requires constant vigilance. Always check and verify links that are sent your way, even if they come from a friend or contact. In the same light, sift through the number of contacts you add to your network and only add those you know personally to minimize risks of compromising your accounts and harming your computer.
