Self-XSS, this is how the latest scam that steals your Facebook account works

These are the clues that you give so that Facebook knows your location 2

Self-XSS is not the name of the son of Elon Musk, the current head of Tesla, but rather a type of scam that has been causing Facebook headaches in recent months. Scam, ruse or social engineering method, call it ‘x’. Like most scams that are born around Facebook, the sole purpose of this trick is to obtain the access data to the social network of a huge number of users. Such has been the number of reported cases that the company itself has been forced to publish a guide on the Facebook support page, a guide that we can see through this link.

How to transfer all your photos and videos from Facebook to Google Photos

This is how they steal your Facebook account with Self-XSS

According to Wikipedia, Self-XSS is defined as a social engineering attack used to lose control of victims’ web accounts. What differentiates this type of attack from the rest is that is the user himself executes the code that allows them to obtain the account access data. The method in question uses the browser console (Google Chrome, Mozilla Firefox, Microsoft Edge …) to encode the commands that send the credentials to the attackers. In fact, its name comes from the type of command that we will have to execute in the console.

The way in which this scam is forged has been evolving since its popularization. As stated on the Facebook support page, attackers publish a message claiming to have the ‘password’ to enter someone else’s Facebook accounts. In general, this message is spread through the victims’ wall or through Facebook Messenger once they have obtained the user’s credentials.

self-xss facebook steal user passwords 2020

Beyond the content of the message, which may vary depending on the country of origin, what thieves do is attach a fraudulent link. Within this link are the supposed instructions that allow us to steal the Facebook account of another user. And this is where the alleged scam is forged.

The web linked from the original message provides us with a series of codes that we will have to paste in the browser console within Facebook. These commands identify the corresponding fields within the website to obtain the email address and password. Subsequently, the command sends the credentials to an IP address, which corresponds to the attackers’ server. All this in a transparent way before the eyes of the user, since the code is not readable by people not experts in the field of programming and computer security.

After taking control of the account, the attackers They replicate the method again by posting messages on the Facebook wall and private conversations on Facebook Messenger. The objective? Obtain compromising and ultimately effective data, either through private extortion or through the sale of data to third parties.

I have fallen into the trap, what can I do?

The only solution we can apply to regain access to our account is to change the Facebook password in case it has not been altered by the thieves. Otherwise, it is best to go to Facebook’s recovery options. In this other article we explain how to act step by step.

Depending on the way in which the attackers proceed, we can recover our account through the phone number that we have used in the Facebook registration process or through an alternative email address. We can also turn to our trusted contacts and a series of security questions to regain full access.

How to upload GIF files to Facebook, Twitter and Instagram

Other news about … Facebook, Security

Leave a Reply

Your email address will not be published. Required fields are marked *