We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.
Once the user follows the steps, he or she is redirected to the usual survey advertisement site before anything is revealed. These results, of course, will not be the real list of people that visited your profile, since this function does not exist in Facebook.
The above described attacks are not new. We actually wrote about event spam and other attacks in our whitepaper on the risks of social networking last September.
But since they work and are harder to filter for Facebook, they might become more prevalent.
Of course, this is not a Facebook-specific problem; we have seen similar issues in other social networks. Their respective security teams are working hard to remove those attacks. Still, you should always be vigilant and sceptical when exploring social networks. Even messages from friends may lead to malicious content. If you are asked to install an application or copy and paste a script for no clear reason, then you’d better ignore it, since it is most likely a trap.
Note: We know that Facebook engineers have been working diligently on the self cross-site scripting problem. Not only have enforcement mechanisms been pursued to shutdown the malicious pages and fake accounts, but Facebook has also been putting affected users through educational checkpoints to help curb the spread of the attacks.