In the following screenshot you can see a fake Facebook email which pretends to be the notification of a new private message. Clicking on the images starts the trojan download which at the moment has a quite low detection rate 2/42 in VirusTotal:
The file is hosted on a site .com.co that was violated, this can be clearly seen by hovering over the links without clicking. This is a good practice to discard false messages in case of doubts, because if the destination is a strange URL that does not make sense as in this case, surely we are facing a spam and phishing attack.
However, we must be careful with all the links, sometimes they are very similar to the real ones and when it comes to Facebook it is possible to camouflage them under the domain itself www.facebook.com which at first glance can deceive more than one.
Eg: www.facebook.com/l.php?u =Url% 2F &h =X
This is the format that the link redirector has on Facebook. The variable u = indicates the destination URL or address, the X at the end is a code that is automatically generated for each link, however variable u can be changed by any URL and still the redirect will work.
In this way a malicious page could be camouflaged under the real domain of Facebook, this is nothing new, it has been known for a long time and some attackers use it to cheat. I just tell them so that Be forewarned and do not trust yourself entirely when a link received by mail or chat begins with www.facebook.com.