Self-XSS, this is how the latest scam that steals your Facebook account works

These are the clues that you give so that Facebook knows your location 2

Self-XSS is not the name of the son of Elon Musk, the current head of Tesla, but rather a type of scam that is causing headaches for Facebook in recent months. Scam, ruse or social engineering method, call it 'x'. Like most scams that are born around Facebook, the sole purpose of this ruse is to obtain the access data to the social network of a huge number of users . Such has been the number of reported cases that the company itself has been forced to publish a guide on the Facebook support page, a guide that we can see through this link.

How to transfer all your photos and videos from Facebook to Google Photos

This is how they steal your Facebook account with Self-XSS

According to Wikipedia, Self-XSS is defined as a social engineering attack used to lose control of victims' web accounts. What differentiates this type of attack from the rest is that the user himself executes the code that allows them to obtain the access data to the account . The method in question uses the browser console (Google Chrome, Mozilla Firefox, Microsoft Edge ...) to encode the commands that send the credentials to the attackers. In fact, its name comes from the type of command that we will have to execute in the console.

The way in which this scam is forged has been evolving since its popularization. As indicated on the Facebook support page, the attackers post a message claiming to have the 'key' to access someone else's Facebook accounts . In general, this message is spread through the victims' wall or through Facebook Messenger once they have obtained the user's credentials.

self-xss facebook steal passwords users 2020

Beyond the content of the message, which may vary depending on the country of origin, what thieves do is attach a fraudulent link. Within this link are the alleged instructions that allow us to steal the Facebook account of another user . And this is where the alleged scam is forged.

The web linked from the original message provides us with a series of codes that we will have to paste into the browser console within Facebook. These commands identify the corresponding fields within the website to obtain the email address and password . Subsequently, the command sends the credentials to an IP address, which corresponds to the attackers' server. All this in a transparent way before the eyes of the user, since the code is not readable by non-experts in the field of programming and computer security.

After taking control of the account, the attackers replicate the method again by posting messages on the Facebook wall and private conversations on Facebook Messenger. The objective? Obtain compromising and ultimately effective data, either through private extortion or through the sale of data to third parties.

I have fallen into the trap, what can I do?

The only solution that we can apply to regain access to our account is to change the Facebook password if it has not been altered by thieves. Otherwise, the best thing to do is go to the Facebook recovery options. In this other article we explain how to act step by step.

Depending on the attackers' way of proceeding, we can recover our account  through the phone number that we have used in the Facebook registration process or through an alternative email address . We can also turn to our trusted contacts and a series of security questions to regain full access.

How to upload GIF files to Facebook, Twitter and Instagram