Hackers Target Users with “Facebook Account Recovery” Phishing Message

Researchers have spotted a j.mp shortened URL being shared by fake accounts within Facebook recently targeting users with phishing link.

Hackers are sending a spam messages from a phony account stating to be “Facebook recovery” notifying users that their accounts committed abuse and will likely be disabled if they don’t act on given commands.

After a user entered their identifications and clicked Log In, data is posted to recovery.php, and then users are redirected to a payment page, which asks for his/her full name, credit card details, and billing address.

Facebook Users Hit With ‘Your Facebook Login Is Removed’ Malware Email


A screenshot showing the message sent to users’ inbox on Facebook:



This is the payment page where Facebook users are redirected:


It is astonishing to see an account claiming to be a legit Facebook recovery account is asking for reimbursements, this is in fact the intent of the phishers.

‘Guy Removes Blackhead’ Post Delivers Malware to Facebook Users

While looking at the stats for the j.mp URL researchers discovered that it didn’t yield that many clicks from the time of its creation up to the present. Sometimes no clicks are recorded means the URL is likely not to be shared making it less visible to the spammers. Less visibility also means that possibly less companies would be able to block it. However, majority of the clicks are mostly from Asian countries and the United States.

Researchers did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, researcher found more than 40, most of them are dormant and no sharing of questionable links on Facebook. Some of them go even as far as offering technical support for fake technical support scams.

When running a check on the number advertised number –1-888-901-5314— it was discovered that several users reported calling the number asking for help and were charged almost $150 just to get their accounts deleted, reports Malwarebytes.


This contact number is also related to a dubious antivirus support channel for McAfee. The page itself no longer exists but a cached copy was retrieved.


If you see posts on your feed that appear similar to the Facebook post we just now discussed, the best thing to do is to avoid it and warn your network about a possible spam campaign.

Related Posts