Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Saturday, June 22, 2013
Fake 'Rihanna & Chris Brown S3X Video' Spam Campaign Spreading Across Facebook, Monetized Through Adf Dot Ly PPC Links
A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, with the affected users further spreading the adf.ly links on the Walls of their friends, in between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue through the adf.ly pay-per-click (PPC) monetization scheme.
Redirection chain:
hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 -> hxxp://www.smilegags.com/watch/jack.php?action=connect&cid=51c3e798aff9a -> hxxp://lolzbestpic.com
MD5s for the Facebook spamming/click-jacking scripts:
MD5: fe97840bd2af654acdb63fd80b094531
MD5: f8a360728a896d40bbb0f190375fb6f6
MD5: bae32ffd43ac2f518dafeedb8901e2de
MD5: 90fa366b8affac24fe182b7b5de51b16
Domain name reconnaissance:
smilegags.com - 184.107.164.158
lolzbestpic.com - 64.79.76.226
Name servers used:
Name Server: NS1.PYARISHQ.INFO
Name Server: NS2.PYARISHQ.INFO
Name Server: NS1.HOSTING.XLHOST.COM
Name Server: NS2.HOSTING.XLHOST.COM
Responding to the same IP (184.107.164.158) are also the following domains:
amasave.com
wikilieaksvideo.com
ns1.pyarishq.info
ns2.pyarishq.info
Known to have responded to the same IP (184.107.164.158) in the past are also the following domains:
costcochristmas.com
costcogives.com
giftcardgratis.com
icagivings.com
lomanako.com
picknpaygives.com
remabilaget.com
rewegives.com
vodkaforyou.info
topvideosweden.com
Responding to (64.79.76.226) is also the following domain:
silali.info
Known to have responded to the same IP (64.79.76.226) is also the following domain:
promvideo.pw
Related posts:
Koobface Botnet Redirects Facebook's IP Space to my Blog
Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook
Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook
Phishing Campaign Spreading Across Facebook
Facebook Malware Campaigns Rotating Tactics
MySpace Phishers Now Targeting Facebook
Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment