Just a short post to report an interesting phenomenon!



Today i've been targeted by an unusual phishing attempt on my Facebook account:

I've received a notification sayng that a account named Fəcebook Servıce 05 (pay attention to ə character) the shared one of my photos (in this case, my profile photo).

The photo has been shared on the page of the strange profile, whit this caption:

WARNING⚠
Your account will be deactivated⚠
This is because someone has reported you that there is a difference between content, because it violates the terms of service. If you are the original owner of this account, confirm your account to avoid blocking.
Please confirm your account here:

└► http://fb-recovery-1000001517-reg.16mb.com/update_security.…

🔒If you do not confirmation, our system will automatically block your Facebook account and you will not be able to use it again.
Thanks for helping improve our Facebook service.
Best Regards
Facebook Security Team

This is a clear attemp of social engineering: the attacker try to scare the target and induce it to open a link.

Obviously, the link lands on a fake login (hxxp://fb-recovery-1000001517-reg.16mb.com/update_security.htm?confirmation&fbclid=XXX), with a 'mobile' layout: every credential sent reply with a login error, but at this point credential are already stolen!

(TLDs of 16mb.com domain are often present in TI reports)

So pay attention to such events, and report the phishing attempt: the Facebook security team would certainly not contact you in that way!