In this post I will explain why you need to be aware of the “your account will be deactivated” scam, and I will share with you some actual phishing domains that are being used in the “your account will be deactivated” Facebook scam.

Taking a look at the “your account will be deactivated” scam

The facebook scam tries to lure Facebook users into providing credentials at the fake Facebook website.

The first page of the Facebook scam

On the first page, the scammers try to trick the users by stating that some unusual activity had been detected, and because of that activity, the security team decided to deactivate your Facebook account.

Your Account will be deactivated soon
We detected unusual activity on your account. Someone may have reported you in non-compliance with our terms of service. We have already reviewed this decision and the decision cannot be changed. To avoid having your account disabled, please verify your account.

Text used on the first page of the Facebook scam

The second page of the scheme

The Facebook user is requested to go to the next page. There the user will be prompted with a form that will request the birthday information of the user.

The final page of the scheme

The final step of the “Your account will be deactivated soon” scam, the scammers try to inform the Facebook user that all needed information has been received and that the account will not be deactivated. In reality, the scammers have received all of the information they wanted.

The scammers that are operating these types of attacks will keep close track to the data they have received. The scammers will then simply forward the unaware Facebook user towards the official Facebook site.

Facebook informs via your profile

The Facebook Security team always informs Facebook account issues via the official Facebook website (facebook.com), they do this in such a matter, that you cannot miss the warning or information Facebook wants to share with you.

Some advice:

• Don’t provide your Facebook credentials to anyone
• If you get a message claiming to be from Facebook, simply start your Facebook as you would always do, and look for any messages from Facebook in your Facebook account

“Your account will be deactivated soon” phishing domains

The scammers which run this scheme utilize multiple domains to host their phishing content. I used the URLscan service to find these domains. This URLscan query quickly provided 21 versions of the phishing attack:

1. app-bosco[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
2. app-kozey[.]mwwh1mboa9-xmz4qm5dx62o[.]p[.]runcloud[.]link
3. app-baumbach[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
4. app-brakus[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
5. app-conn[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
6. app-berge[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
7. app-kilback[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
8. app-bogisich[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
9. app-bergstrom[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
10. app-kertzmann[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
11. app-gutmann[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
12. app-wunsch[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
13. app-bayer[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
14. app-yost[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
15. app-beier[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
16. app-schmeler[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
17. app-klocko[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
18. app-morissette[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
19. app-tillman[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
20. acnrcvry[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
21. scrtypages[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link