This malicious code could allow an attacker to gain access to victims' accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims' friends. This technique is known as Self Cross-site Scripting or Self XSS.
Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability, basically designed to trick Facebook users' into providing access to their account. Once an attacker or scammer gets access to users' Facebook account, they can even post and comment on things on users' behalf.
In order to infect Facebook user, the cyber crooks send a phishing message via an email or a Facebook post from one of the friends in the list of the targeted victim claiming, in this case, a way to hack any Facebook user by following some simple steps.
The posted scam looks as follows:
Hack any Facebook account following these steps:
1. Go to the victim's profile
2. Click right click then click on inspect element and click the "Console" tab.
3. Paste the code into the box at the bottom and press Enter.
The code is in the web site: https://textuploader .com****/
Good luck: *
Don't hurt anybody…
They want you to follow the given instructions by copy and pasting the malicious code, as given in the above instructions, for taking over someone else's account. The trick is suitable for both Google Chrome and Mozilla Firefox users.
Once you self inject this malicious script to your account, it will give away the access of your whole account to the one who could do a variety of malicious activities, basically spreading all sorts of malicious campaigns. The hackers can also infect victim's computer with malware that can collect banking details and send them to a remote location controlled by them.
Facebook has also listed the scam on the list of threats its users have been observed to fall victim to. "Scammers who use Self-XSS usually trick you by promising to help you hack somebody else's account," reads the post. "The scammer's goal is to get you to run their malicious code on your computer. When you run their code, you grant the scammer access to your account for fraud, spam, and tricking more people into running the scam."
Spotting these scams and reporting them are the best way to protect yourself, but if you fall victim to one of these attacks, don't panic! Follow the link to learn more about protecting your Facebook account.
Facebook is also working with various browser vendors to add protection in the browser in an effort to prevent this vector from being exploited.