We’ve seen a certain j.mp shortened URL being shared by what we believe are rogue (if not compromised) accounts within Facebook a couple of days ago.
In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery”—a truly fake one, if I may add—that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP.
Notification: Your Account will be Disabled! Account FACEBOOK you have already been reported by others about the abuse of account, this is a violation of our agreement and may result in your account is disabled. Please verify your email account to unblock and help us do more for security and convenience for everyone. Immediately do recover your Facebook account, by clicking on the link below: hxxp://j[DOT]mp/1HloHXd?help-facebook-recovery "Attention" If you ignore this message, we can not recover your account and your account will be permanently disabled. Sorry to interrupt your convenience. The Facebook Team
The URL, of course, hides the below phishing page:
The blurb on the page is the same as the spammed message on Facebook.
Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are redirected to this payment page, which asks for his/her full name, credit card details, and billing address:
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”.
We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present. We do notice that most of the days, no clicks were recorded.
click to enlarge
It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL.
Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this.
Furthermore, the majority of clicks are mostly from Asian countries and the United States.
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40, and below is just a snapshot of the entire list:
Most of these accounts, as of this time, are currently dormant in terms sharing questionable links within the social network.
One of them offers Facebook support, much like what we see on fake technical support scams.
Checking the number it’s advertising—1-888-901-5314—we found that several users reported calling the number asking for assistance regarding their accounts and was charged with no less than $150 to, say, delete their accounts on Facebook.
This contact number is also related to a questionable antivirus support channel for McAfee. The page itself no longer exists, but we were able to retrieve a cached copy of it to show below:
McAfee Anti-Virus Support McAfee Anti-Virus Support, Protect your small, medium, and enterprise business with the latest security solutions from developed and distributed by Symantec Corporation, provides malware prevention, enables users to safely connect to the Internet, and securely surf internet For fast McAfee support dial 1-888-901-5314. We technicians will provide you assistance for Support for McAfee Antivirus. yippie's technicians will go a step ahead with support services for McAfee Antivirus to guarantee safety, security and cleanliness of your PC. Go ahead and make your PC safe by calling We today!
Malwarebytes Anti-Malware (MBAM) users are already protected from the above phishing URL.
If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to ignore it and warn your network about an on-going spam campaign.