Wednesday, December 11, 2013

Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem


Last week, immediately after I published the initial analysis detailing a massive privacy-violating "Who's Viewed Your Profile" campaign, that was circulating across Facebook, the cybercriminals behind it, supposedly took it offline, with one of the main redirectors now pointing to 127.0.0.1.

Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, which based on the latest statistics -- embedded within the campaign on the same day they supposedly shut it down -- has already exposed another 190,000+ of the social network's users -- the original campaign appears to have been launched in 2011 having already exposed 800,000+ users -- to more rogue, privacy violating apps -- JS.Febipos, Mindspark Interactive Network's MyImageConverter and Trojan-Ransomer.CLE, in this particular case.

Let's dissect the still circulating campaign, expose the entire infrastructure supporting it, establish direct connections with it to related malicious campaigns, indicating that someone's either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, provide MD5s for the currently served privacy-violating apps, as well as list the actual -- currently live -- hosting locations.


Sample redirection chain:
hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222222222222222222ajsklfjasl
fkjasfklja -> hxxp://prostats.vf1.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11

Redirection chain domain name reconnaissance:
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33
p2r0f3rviewer9890.co.nf - 83.125.22.192
whoviewsfb.uni.me - 82.208.40.11
prostats.vf1.us - 192.157.201.42
wh0stalks.uni.me - 192.157.201.42
cracks4free.info - 192.157.201.42

Known to have responded to 93.170.52.21 are also the following fraudulent domains:
0.facebook.com.fpama.tk
001200133184123129811.tk
00wwebhost.tk
01203313441.tk
01prof86841.tk
029m821t9fs.4ieiii.tk
031601.tk
0333.tk
0571baidu.tk
05pr0f1le21200.tk
05pr0file214741.tk
060uty80w.tk
06emu.tk
0886.tk
0akleycityn.tk
0ao0grecu.tk
0fcf7.chantaljltaste.tk
0lod1lmt1.tk
0love.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.21 in the past:
MD5: ee78fe57ad8dbac96b31f41f77eb5877
MD5: bed006372fc76ec261dc9b223b178438
MD5: 58f9cbec80d1dc3a5afbb7339d200e66
MD5: fd0c6b284f7700d59199c55fdcd5bd8a
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: 97ec866ac26e961976e050591f49fec3
MD5: aba1720b1a6747de5d5345b5893ba2f5
MD5: de5e1f6f137ecb903a018976fc04e110
MD5: a9669b65cabd6b25a32352ccf6c6c09a
MD5: 003f4d9dafba9ee6e358b97b8026e354
MD5: bab313e031b0c54d50fd82d221f7defc
MD5: e6b766f627b91fd420bd93fab4bc323f
MD5: d63656d9b051bf762203b0c4ac728231
MD5: 935440d970ee5a6640418574f4569dab
MD5: 2524e3b4ed3663f5650563c1e431b05c
MD5: f726646a41f95b12ec26cf01f1c89cf9
MD5: a5af6c04d28fcea476827437caf4c681
MD5: c7346327f86298fa5dad160366a0cf26
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a
MD5: b33aaa98ad706ced23d7c64aed0fcad6

Known to have responded to 93.170.52.33 are also the following fraudulent domains:
0lwwa.tk
0msms.tk
122.72.0.7sierra-web-www.szjlc-pcb.tk
1z8dz.tk
4f1wz8.ga
777898.ga
888234.ml
8eld7.tk
abmomre.tk
accountupdateinformation.tk
ahram-org-eg.tk
alex-fotos.tk
allycam.tk
amerdz.ml
angelsmov.tk
apis-drives-google.tk
apis-googledrive.tk
apple-idss.tk
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk
avtoshina.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.33 in the past:
MD5: 2d951e649a8bbcbfa468f7916e188f9f
MD5: dbe2c0788e74916eba251194ef783452
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: dc01c1db51e26b585678701a64c94437
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a
MD5: 64505b7ca1ce3c1c0c4892abe8d86321
MD5: 0b98356395b2463ea0f339572b9c95ef
MD5: 9e87c189d3cbf2fc2414934bef6e661b
MD5: 48964a66bdc81b48f2fe7a31088c041b
MD5: f81c85bea0e2251655b7112b352f302e

The following MD5s are also known to have phoned back to 83.125.22.192 in the past:
MD5: 3935b6efa7e5ee995f410f4ef1e613ab
MD5: 64c1496e1ba2b7cb5c54a33c20be3e95
MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9
MD5: f508d8034223c4ce233f1bdbed265a3a

Known to have responded to 82.208.40.11 are the following fraudulent domains:
000e0062fb44cd5b277591349e070277.cz.cc
003bc1b16c548efbc4f30790e0bc17be.cz.cc
0057ab88a8febe310f94107137731424.cz.cc
008447a58c242b52cb69fe7dceea9a0b.cz.cc
00a47e5e57323f23c66f2c2d5bc1debc.cz.cc
00a9a591d1e7aaf65639781bc73199d4.cz.cc
00ad3353e0ba865a521da380ba4e0cc4.cz.cc
00d55beb792962f7a04c66b85f2c6082.cz.cc
00e3b9ece447187da3f43f98ab619a28.cz.cc
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc
00f59cfa33cd097e943a38a8f2e343ee.cz.cc
00fbdb49398f0e5fd9d5572044d8934e.cz.cc
010ab81241856dfca44dd9ade4489fbc.cz.cc
011622fb7752328ebb60bd2c075f1fe6.cz.cc
011fbf88cff1c18e05c2afb53d6e5ffd.cz.cc
0133147433aeef23bbe60df0cbc4eac9.cz.cc
013f98b7157ae3754d463e9d2346a549.cz.cc
013fa3e9db6e476282b8e9f1bac6d68e.cz.cc
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc
019368b1f3b364c0d3ec412680638f04.cz.cc

The following malicious MD5s are also known to have phoned back to 82.208.40.11 in the past:
MD5: 2c89dfc1706b31ba7de1c14e229279e5
MD5: 6719d3e8606d91734cde25b8dfc4156f
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d
MD5: 3875fa91f060d02bddd43ff8e0046588
MD5: 929b72813bae47f78125ec30c58f3165
MD5: 96fa2ea6db2e4e9f00605032723e1777
MD5: c46968386138739c81e219da6fb3ead5
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49
MD5: d9714a0f7f881d3643125aa0461a30be
MD5: 81171015a95073748994e463142ddcc7

Known to have responded to 192.157.201.42 are also the following fraudulent domains:
cracks4free.info
pr0lotra.p9.org
prostats.vf1.us
wh0prof.uni.me
cracks4free.info

Time to provide the actual, currently live, hosting locations for the served privacy-violating content.


Mindspark Interactive Network's MyImageConverter served URL:
hxxp://download.myimageconverter.com/index.jhtml?partner=^AZ0^xdm081

Google Store served URLs:
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently active
hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej

Dropbox Accounts serving the Android app (offline due to heavy usage), and the Firefox extension:
hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/whoviews5.xpi - currently online
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk

Facebook App URL:
hxxp://apps.facebook.com/dislike___button/

Google Docs served privacy-violating apps:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

GA Account IDs: UA-23441223-3; UA-12798017-1
MyImageConverter Affiliate Network ID: ^AZ0^xdm081

Detection rate for the served apps/extensions:
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ
MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners as JS:Febipos-N [Trj]; JS/Febipos

Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 106320fc1282421f8f6cf5eb0206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 on the affected hosts. It then phones back to 195.167.11.4:

Two more MD5s from different malware campaigns, are known to have phoned back to 195.167.11.4:
MD5: 8192c574b8e96605438753c49510cd97
MD5: d55de5e9ec25a80ddfecfb34d417b098


The Privacy Policy (hxxp://prostats.vf1.us/firefox/pp.html) and the EULA (hxxp://prostats.vf1.us/firefox/eula.html) point to hxxp://dislikeIt.com - 176.74.176.179. Not surprisingly, multiple malicious MD5s are also known to have previously interacted with the same IP:
MD5: d366088e4823829798bd59a4d456a3df
MD5: 3c73db8202d084f33ab32069f40f58c8
MD5: d7fce1ec777c917f72530f79363fc6d3
MD5: 83568d744ab226a0642233b93bfc7de6
MD5: c84b1bd7c2063f34900bbc9712d66e0f
MD5: 58baa919900656dacaf39927bb614cf1
MD5: a86e97246a98206869be78fd451029a0
MD5: 70a0894397ac6f65c64693f1606f1231
MD5: f9166237199133b24cd866b61d0f6cca
MD5: 0f24ad046790ee863fd03d19dbba7ea5


Based on the latest performance metrics for the campaign, over 190,000 users have already interacted with this sub-campaign, since 4th of December, when I initially analyzed the primary campaign.


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.