Friday, June 20, 2008

Phishing Campaign Spreading Across Facebook

Phishers have once again indicated their interest in obtaining fresh passwords for social networking sites, by using the already hacked accounts there in order to social engineer the account holder's friends that the phishing links they leave as comments are legitimate. This latest internal phishing campaign circulating across Facebook, is a part of a bigger phishing operation, whose reliance on fast-fluxed domains used in the campaign indicates it's a part of a botnet.

Sample messages spammed across Facebook :

"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)"

"i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)...her profile is"

"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P her profile is"

Sample phishing URLs and fast-flux domains from this campaign :

- facebook.com.profile.id.ep7vu2.749e92q.916ad771.info/facebook/index.php?id=f543li12

- facebook.com.profile.id.mgt9fr5n.mg6qdo.e77c98037.com/facebook/index.php?id=sjv5ppwqb&auth=5086550&cyua=dm2yozoq3y

- facebook.com.profile.id.bvbu38.krpz.dortos.net/facebook/index.php?id=y39zjy4c6&auth=462&cyua=2wr8tckkg8

- facebook.com.profile.id.10g10th3.7q342k8.31dd6db6.com/facebook/index.php?id=b36a7sh7&auth=bnspa&cyua=31064jrv8u2

1d27c9b8fb.com
31dd6db6.com

dortos.net

e77c98037.com

916ad771.info


Related phishing domains sharing fast-flux infrastructure with one another :


paypal.client-confirmation.com

acznc84.com

ccitu938.com

e77c98037.com
ccitu938.com

civvi05.com

client29184146.com

cnzu390.com

d71adb12.com

dd25d624.com

f009c270.com
fzkgoo6.com

lvozx90.com

r8t0p0l4.net

2j1f.com

31c5f18a7f.com

3h8ax3.com

4442852.com

47cx972x.com

72195e6.info

aur83jf82la.com

f80a5b31be7.com
gllofj8532.com

3h8ax3.com

47cx972x.com

aur83jf82la.com

client1874741.com

client1929848.com

client9994414.com

ringbe.com
ringbean.com

ringwe.com

xctiw4.com

They also seem to be in a process of diversifying the social networks to be attacked, having Hi5 in mind - hi5.com.profile.id.yijs.dcrt.1d27c9b8fb.com/hi5/?id=chrislef&auth=rwx&cyua=albumem

Related posts:
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

No comments:

Post a Comment