Facebook Deactivated Account Spam

Outline
Message purporting to be from Facebook, claims that the user’s Facebook account has been deactivated and urges him or her to follow a link to reactivate the account. 

Brief Analysis
The message is not from Facebook and the recipient’s account has not been deactivated as claimed. The message is in fact an attempt to promote a dubious “Online Drugstore” that peddles pharmaceutical products and may attempt to steal credit card information via bogus order forms. Clicking the “reactivate” link in the message opens the pharmaceutical spam website. Links in some of the bogus emails may lead to a version of the pharmaceutical website that is known to host malware.

Example

Detailed Analysis
This message, which purports to be from social networking website Facebook, claims that the recipient has deactivated his or her Facebook account. The message instructs users to follow a link to login to Facebook if they wish to reactivate their account.

However, the message is not from Facebook and the claim that the recipient’s Facebook account has been deactivated is untrue. In fact, the message is seemingly an attempt to peddle pharmaceutical products from a dubious “online drugstore” and, in some instances, to trick users into downloading malicious software. Clicking the “reactivate” link in the bogus email opens one of several identical “cloned” versions of the same pharmaceutical website that are hosted on different servers. Several alternate web addresses are used in different versions of the bogus emails, although all of the links lead to an instance of the same cloned website. The links in the message are disguised so that they appear to point to a genuine Facebook login page. At least one of these links opens a version of the pharmaceutical website that has been flagged by Google as being a host for malware, including scripting exploits and trojans. 

At first glance, this email looks like a classic phishing scam. However, it is a little different to “normal” Facebook phishing scams in that it does not directly attempt to trick users into submitting their login details and other information via a fake Facebook login page. Instead, it apparently tries to entice recipients into visiting the online drugstore site in the hope that they will attempt to purchase products, or in some cases, inadvertently infect their computers with malicious software. Dubious online drug sites such as these may also steal credit card and other information from users via bogus order forms. The “order form” on the pharmacy website included in these spam emails is not even a secure (https) page even though it asks for credit card details and other personal information. No legitimate online store would ask for credit card details via an unsecure form.

If you receive this email, do not click on any links in the message. Even if clicking the link apparently only opens a spammy but superficially benign pharmaceutical website, the site may actually harbour hidden malware that can infect your computer. The site may also attempt to steal credit card details if you actually try to purchase products. In any case, buying drugs from the online pharmacy websites that are willing to promote themselves via spamming and other underhand tactics is certainly not recommended. Even if you actually receive the product your order, there is no guarantee that it will actually contain the medication that you think it does. Taking such medication may be dangerous and illegal. And you may find that your credit card and other details have been harvested by criminals via the site’s bogus order form.

Moreover, it is important to keep in mind that phishing scammers regular use very similar tactics to trick users into submitting their login details and other personal and financial information via bogus websites or fraudulent forms attached to the scam emails. Be cautious of any email that claims that the account you hold with a company or online service has been suspended or deactivated. If you receive such an email, do not follow any links in the message or open any attachments that it may contain.