In recent weeks a lot of people are facing social-engineering attacks on their Facebook account, but how many of them actually know the mechanics behind them? In this post I have tried to explain some of those tricking Facebook scam, and their working mechanics.

Two famous attacks which leads to scam on Facebook are "share-baiting" and "self-XSS". Share-baiting is a pure social-engineering attack that takes advantages of bugs present in the Facebook design. Self-XSS is a combination of social engineering and a browser vulnerability.

Lets have an example of Facebook scam posts having thumbnails of what appear to be pornographic videos. It seems that a friend has shared that but actually he was victim of those scams. Clicking on those video thumbnails traps you in the same scam. Click jacking occurs when you click a scam link that then posts the same scam link to the walls of all of your friends on Facebook. Since it is possible to cleverly hide JavaScript codes behind Flash videos, neither Facebook nor its users can check them for safety. This leads to Click jacking.

Here is a great video by Matt Jones explaining those scamming methods. Matt works with the Data & Security team at Facebook.

Matt explains that web browsers such as Google Chrome and Safari are susceptible to cross-site scripting (XSS) vulnerability. Other browsers like Internet Explorer and Firefox are safe from this.