The all new Facebook XSS scammers

Am surprised that I have not heard about it on any of the tech blogs. Every other day I get a mail from facebook from one of my friends to see this amazing picture or solve a riddle. Since the mail is coming directly from your friends its difficult to ignore it as spam. It is the perfect example of social engineering to get information from users and spread it further.

The scam starts with an email from your friend with the link to a facebook page (Do not open it before you've read the whole post and understand the consequences). When you open the page you see the wizard with the following steps.

Step #1: Press and HOLD CTRL AND press the letter C

The step is nice and animated so that you know what you are doing. When you have clicked it takes you to step 2. Which shows that you have "Successfully Copied Code To Your Clipboard!". It does not tell you what code but just that some code has been copied.

Step #2: Press and HOLD ALT AND press the letter D

Even in this step as you press the keys you see an animated effect which gives you feedback about what you are doing. And it highlights the address bar. It even animates the fact by displaying "Successfully Selected Your Address Bar!". And takes you to step 3.

Step #3: Press and HOLD CTRL AND press the letter V Finally, press ENTER to reveal!

Since most users will blindly follow the instructions they end up pasting the javascript code in the address bar that enables the scammers to get into your facebook account and send out an email to all your friends that you like that page and recommend it to them. Most of your friends who trust you will blindly follow the same instructions thinking that you suggested that page.

Since its a network effect more and more people keep on getting scammed. To most people it might seem like nothing more than spamming. But in reality it can be a lot more harmful than you think. Since the spammer can get you cookies all your private information is out to them. All your private photos, notes, videos and private information is no longer private. Send chat messages to all your friends who are logged in.

The scammer has the same privileges as you have. They can do everything that you can do. All you personal information is no longer personal as the scammer can log into your facebook account with your cookies.

If you think you have been scammed log out of facebook and log in again. Goto and make sure there is no application there which you have not authorized to post information. Also if you still really paranoid make sure you change your password.

If you look at that facebook page it will take you to the wall and show you how many people have been duped. In time when someone at facebook finally disables it you will be redirected to the homepage. Its easy to see that new users are added every second. With every new user that likes that page that user has been duped and a mail is sent to everyone on his list.


Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

The best mobile development platform for hobbyist programmer

Using Voicemail with Airtel Prepaid Karnataka

Airtel 16Mbps for Impatient Ones