If you come across an announcement from "Facebook Chat Team, "You should know that it is part of a fraud that is designed to trick members of the big social network and deliver it to Spammers accounts of their accounts.
The message says:
"All Chat Box must be verified before 24th May 2014 to avoid Chat Blocking under SOPA and PIPA Act. The unverified Chat will be terminated.”
"All Chat Boxes must be verified before May 24, 2014 to avoid the blocking of your conversations by SOPA and the PIPA Act. Unconfirmed Chats will be terminated. "
According to Trend Micro, users who click on the links contained in the message are taken to a post of it Pastebin which contains instructions on how they can verify their account. The Pastebin post contains malicious JavaScript code and instructs victims on how to run it from their browser console.
When the code is executed, scammers get access to the victim's account. Although the access they acquire is limited, they can still republish the victim's timeline fraud, tag other users, and make them like new web pages.
"Users should be aware that there is no product called 'Facebook Chat,' let alone one team which sends a warning message,” Trend Micro experts report.
Facebok is already aware of this fraud and has taken the necessary steps to stop it.
"There is a popular scam that claims the user will gain some benefit (illegal access to another account, a new Facebook feature, etc.) by pasting some JavaScript code into their browser console." says Facebook referring to a page that explains them self-XSS attacks and how the JavaScript console works.
This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people's walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.
Users who are victims of such attacks should check their timeline and delete all messages posted to their account. They should also check the activity log to see what other actions have been taken without knowing it.
Generally speaking, if you want to avoid falling victim to such scams, do not trust any post that claims that your account or some features will be disabled if you do not take action.
