People who want to break into friends’ Facebook accounts are discovering how much it sucks to be on the receiving end of a hack, thanks to a tricky program circulating on Facebook, primarily among Indian Facebook users.

The scam works by preying on people who want to hack into their friends' Facebook accounts. Users will see posts on Facebook advertising for the hack (which says, “Educational Purposes Only” but doesn’t make it clear that it is a hoax otherwise). If a user clicks on the link in the post, it opens to a document on Google Drive with code, and claims that this code gives users access to their friends’ accounts. Users are instructed to paste the code into their browser and wait two hours for the hacking to begin. 

Instead of exposing their target, though, the code works against the hacker. Their Facebook account is manipulated, and starts to ‘like’ and follow Pages associated with the authors of the sneaky code. The hacked account will also tag its entire friend list with instructions about the scam, which keeps the scam going.

Symantec looked into this trick, which is called a "self-XSS" (or "self cross-site scripting") hack. They discovered that the scam has been around since 2011, but the most recent iteration began in early 2014 and may have Turkish authors.

Facebook is trying to warn its wannabe hackers to stay away from this trick, and issues this warning when users try to post the suspicious code into their browser. 


This scam works because it goes after people who are so desperate to gain access to another user's account that they're willing to be reckless, but it doesn't mean the authors are really doing anyone a favor. They're benefitting from hacking the wannabe hackers, since they inflate the follower counts and 'likes' associated with Pages they have created. 

H/T Symantec | Photo via Flickr/Thomas Bonte (CC BY 2.0)