Facebook Recovery Scam : We’ve seen a certain j.mp shortened URL being shared by what we believe are rogue (if not compromised) accounts within Facebook a couple of days ago.

In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery”—a truly fake one, if I may add—that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP.

 

facebook recovery phising message

 

Notification: Your Account will be Disabled!

Account FACEBOOK you have already been reported by others about the abuse of account, this is a violation of our 
agreement and may result in your account is disabled. Please verify your email account to unblock and help us do more 
for security and convenience for everyone.

Immediately do recover your Facebook account, by clicking on the link below:
hxxp://j[DOT]mp/1HloHXd?help-facebook-recovery

"Attention"
If you ignore this message, we can not recover your account and your account will be permanently disabled.
Sorry to interrupt your convenience.

The Facebook Team.

The URL, of course, hides the below phishing page:

 

facebook recovery page phising

 

The blurb on the page is the same as the spammed message on Facebook.

Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are redirected to this payment page, which asks for his/her full name, credit card details, and billing address:

 

credit card phishing via facebook

 

We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”.

We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present. We do notice that most of the days, no clicks were recorded.

 

j.mp URL clicks recorded

 

It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL.

Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this.

Furthermore, the majority of clicks are mostly from Asian countries and the United States.

 

j.mp url clicks per country

 

We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40, and below is just a snapshot of the entire list:

 

facebook recovery fake accounts

 

Most of these accounts, as of this time, are currently dormant in terms sharing questionable links within the social network.

One of them offers Facebook support, much like what we see on fake technical support scams.

 

facebook techsupport scam

 

Checking the number it’s advertising—1-888-901-5314—we found that several users reported calling the number asking for assistance regarding their accounts and was charged with no less than $150 to, say, delete their accounts on Facebook.

This contact number is also related to a questionable antivirus support channel for McAfee. The page itself no longer exists, but we were able to retrieve a cached copy of it to show below:

 

webshopee techsupport scam

 

McAfee Anti-Virus Support

McAfee Anti-Virus Support, Protect your small, medium, and enterprise business with the latest security solutions from developed and distributed by Symantec Corporation, provides malware prevention, enables users to safely connect to the 
Internet, and securely surf internet

For fast McAfee support dial 1-888-901-5314. We technicians will provide you assistance for Support for McAfee Antivirus. yippie's technicians will go a step ahead with support services for McAfee Antivirus to guarantee safety, security and 
cleanliness of your PC. Go ahead and make your PC safe by calling We today!

If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to ignore it and warn your network about an on-going spam campaign.

 

 

*This post was originally written on Malwarebytes blog. 

TRENDING POSTS