Phishers have once again indicated their interest in obtaining fresh passwords for social networking sites, by using the already hacked accounts there in order to social engineer the account holder's friends that the phishing links they leave as comments are legitimate. This latest internal phishing campaign circulating across Facebook, is a part of a bigger phishing operation, whose reliance on fast-fluxed domains used in the campaign indicates it's a part of a botnet.
Sample messages spammed across Facebook :
"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)"
"i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)...her profile is"
"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P her profile is"
Sample phishing URLs and fast-flux domains from this campaign :
- facebook.com.profile.id.ep7vu2.749e92q.916ad771.info/facebook/index.php?id=f543li12
- facebook.com.profile.id.mgt9fr5n.mg6qdo.e77c98037.com/facebook/index.php?id=sjv5ppwqb&auth=5086550&cyua=dm2yozoq3y
- facebook.com.profile.id.bvbu38.krpz.dortos.net/facebook/index.php?id=y39zjy4c6&auth=462&cyua=2wr8tckkg8
- facebook.com.profile.id.10g10th3.7q342k8.31dd6db6.com/facebook/index.php?id=b36a7sh7&auth=bnspa&cyua=31064jrv8u2
1d27c9b8fb.com
31dd6db6.com
dortos.net
e77c98037.com
916ad771.info
Related phishing domains sharing fast-flux infrastructure with one another :
paypal.client-confirmation.com
acznc84.com
ccitu938.com
e77c98037.com
ccitu938.com
civvi05.com
client29184146.com
cnzu390.com
d71adb12.com
dd25d624.com
f009c270.com
fzkgoo6.com
lvozx90.com
r8t0p0l4.net
2j1f.com
31c5f18a7f.com
3h8ax3.com
4442852.com
47cx972x.com
72195e6.info
aur83jf82la.com
f80a5b31be7.com
gllofj8532.com
3h8ax3.com
47cx972x.com
aur83jf82la.com
client1874741.com
client1929848.com
client9994414.com
ringbe.com
ringbean.com
ringwe.com
xctiw4.com
They also seem to be in a process of diversifying the social networks to be attacked, having Hi5 in mind - hi5.com.profile.id.yijs.dcrt.1d27c9b8fb.com/hi5/?id=chrislef&auth=rwx&cyua=albumem
Related posts:
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, June 20, 2008
Phishing Campaign Spreading Across Facebook
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment