Showing posts with label Fake Who's Viewed Your Facebook Profile Extension. Show all posts

Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions Dropping, Facebook Circulating Malicious Campaign

January 09, 2014
This summary is not available. Please click here to view the post. Continue reading →

Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem

December 11, 2013

Last week, immediately after I published the initial analysis detailing a massive privacy-violating "Who's Viewed Your Profile" campaign, that was circulating across Facebook, the cybercriminals behind it, supposedly took it offline, with one of the main redirectors now pointing to 127.0.0.1.

Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, which based on the latest statistics -- embedded within the campaign on the same day they supposedly shut it down -- has already exposed another 190,000+ of the social network's users -- the original campaign appears to have been launched in 2011 having already exposed 800,000+ users -- to more rogue, privacy violating apps -- JS.Febipos, Mindspark Interactive Network's MyImageConverter and Trojan-Ransomer.CLE, in this particular case.

Let's dissect the still circulating campaign, expose the entire infrastructure supporting it, establish direct connections with it to related malicious campaigns, indicating that someone's either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, provide MD5s for the currently served privacy-violating apps, as well as list the actual -- currently live -- hosting locations.


Sample redirection chain:
hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222222222222222222ajsklfjasl
fkjasfklja -> hxxp://prostats.vf1.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11

Redirection chain domain name reconnaissance:
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33
p2r0f3rviewer9890.co.nf - 83.125.22.192
whoviewsfb.uni.me - 82.208.40.11
prostats.vf1.us - 192.157.201.42
wh0stalks.uni.me - 192.157.201.42
cracks4free.info - 192.157.201.42

Known to have responded to 93.170.52.21 are also the following fraudulent domains:
0.facebook.com.fpama.tk
001200133184123129811.tk
00wwebhost.tk
01203313441.tk
01prof86841.tk
029m821t9fs.4ieiii.tk
031601.tk
0333.tk
0571baidu.tk
05pr0f1le21200.tk
05pr0file214741.tk
060uty80w.tk
06emu.tk
0886.tk
0akleycityn.tk
0ao0grecu.tk
0fcf7.chantaljltaste.tk
0lod1lmt1.tk
0love.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.21 in the past:
MD5: ee78fe57ad8dbac96b31f41f77eb5877
MD5: bed006372fc76ec261dc9b223b178438
MD5: 58f9cbec80d1dc3a5afbb7339d200e66
MD5: fd0c6b284f7700d59199c55fdcd5bd8a
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: 97ec866ac26e961976e050591f49fec3
MD5: aba1720b1a6747de5d5345b5893ba2f5
MD5: de5e1f6f137ecb903a018976fc04e110
MD5: a9669b65cabd6b25a32352ccf6c6c09a
MD5: 003f4d9dafba9ee6e358b97b8026e354
MD5: bab313e031b0c54d50fd82d221f7defc
MD5: e6b766f627b91fd420bd93fab4bc323f
MD5: d63656d9b051bf762203b0c4ac728231
MD5: 935440d970ee5a6640418574f4569dab
MD5: 2524e3b4ed3663f5650563c1e431b05c
MD5: f726646a41f95b12ec26cf01f1c89cf9
MD5: a5af6c04d28fcea476827437caf4c681
MD5: c7346327f86298fa5dad160366a0cf26
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a
MD5: b33aaa98ad706ced23d7c64aed0fcad6

Known to have responded to 93.170.52.33 are also the following fraudulent domains:
0lwwa.tk
0msms.tk
122.72.0.7sierra-web-www.szjlc-pcb.tk
1z8dz.tk
4f1wz8.ga
777898.ga
888234.ml
8eld7.tk
abmomre.tk
accountupdateinformation.tk
ahram-org-eg.tk
alex-fotos.tk
allycam.tk
amerdz.ml
angelsmov.tk
apis-drives-google.tk
apis-googledrive.tk
apple-idss.tk
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk
avtoshina.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.33 in the past:
MD5: 2d951e649a8bbcbfa468f7916e188f9f
MD5: dbe2c0788e74916eba251194ef783452
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: dc01c1db51e26b585678701a64c94437
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a
MD5: 64505b7ca1ce3c1c0c4892abe8d86321
MD5: 0b98356395b2463ea0f339572b9c95ef
MD5: 9e87c189d3cbf2fc2414934bef6e661b
MD5: 48964a66bdc81b48f2fe7a31088c041b
MD5: f81c85bea0e2251655b7112b352f302e

The following MD5s are also known to have phoned back to 83.125.22.192 in the past:
MD5: 3935b6efa7e5ee995f410f4ef1e613ab
MD5: 64c1496e1ba2b7cb5c54a33c20be3e95
MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9
MD5: f508d8034223c4ce233f1bdbed265a3a

Known to have responded to 82.208.40.11 are the following fraudulent domains:
000e0062fb44cd5b277591349e070277.cz.cc
003bc1b16c548efbc4f30790e0bc17be.cz.cc
0057ab88a8febe310f94107137731424.cz.cc
008447a58c242b52cb69fe7dceea9a0b.cz.cc
00a47e5e57323f23c66f2c2d5bc1debc.cz.cc
00a9a591d1e7aaf65639781bc73199d4.cz.cc
00ad3353e0ba865a521da380ba4e0cc4.cz.cc
00d55beb792962f7a04c66b85f2c6082.cz.cc
00e3b9ece447187da3f43f98ab619a28.cz.cc
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc
00f59cfa33cd097e943a38a8f2e343ee.cz.cc
00fbdb49398f0e5fd9d5572044d8934e.cz.cc
010ab81241856dfca44dd9ade4489fbc.cz.cc
011622fb7752328ebb60bd2c075f1fe6.cz.cc
011fbf88cff1c18e05c2afb53d6e5ffd.cz.cc
0133147433aeef23bbe60df0cbc4eac9.cz.cc
013f98b7157ae3754d463e9d2346a549.cz.cc
013fa3e9db6e476282b8e9f1bac6d68e.cz.cc
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc
019368b1f3b364c0d3ec412680638f04.cz.cc

The following malicious MD5s are also known to have phoned back to 82.208.40.11 in the past:
MD5: 2c89dfc1706b31ba7de1c14e229279e5
MD5: 6719d3e8606d91734cde25b8dfc4156f
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d
MD5: 3875fa91f060d02bddd43ff8e0046588
MD5: 929b72813bae47f78125ec30c58f3165
MD5: 96fa2ea6db2e4e9f00605032723e1777
MD5: c46968386138739c81e219da6fb3ead5
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49
MD5: d9714a0f7f881d3643125aa0461a30be
MD5: 81171015a95073748994e463142ddcc7

Known to have responded to 192.157.201.42 are also the following fraudulent domains:
cracks4free.info
pr0lotra.p9.org
prostats.vf1.us
wh0prof.uni.me
cracks4free.info

Time to provide the actual, currently live, hosting locations for the served privacy-violating content.


Mindspark Interactive Network's MyImageConverter served URL:
hxxp://download.myimageconverter.com/index.jhtml?partner=^AZ0^xdm081

Google Store served URLs:
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently active
hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej

Dropbox Accounts serving the Android app (offline due to heavy usage), and the Firefox extension:
hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/whoviews5.xpi - currently online
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk

Facebook App URL:
hxxp://apps.facebook.com/dislike___button/

Google Docs served privacy-violating apps:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

GA Account IDs: UA-23441223-3; UA-12798017-1
MyImageConverter Affiliate Network ID: ^AZ0^xdm081

Detection rate for the served apps/extensions:
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ
MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners as JS:Febipos-N [Trj]; JS/Febipos

Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 106320fc1282421f8f6cf5eb0206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 on the affected hosts. It then phones back to 195.167.11.4:

Two more MD5s from different malware campaigns, are known to have phoned back to 195.167.11.4:
MD5: 8192c574b8e96605438753c49510cd97
MD5: d55de5e9ec25a80ddfecfb34d417b098


The Privacy Policy (hxxp://prostats.vf1.us/firefox/pp.html) and the EULA (hxxp://prostats.vf1.us/firefox/eula.html) point to hxxp://dislikeIt.com - 176.74.176.179. Not surprisingly, multiple malicious MD5s are also known to have previously interacted with the same IP:
MD5: d366088e4823829798bd59a4d456a3df
MD5: 3c73db8202d084f33ab32069f40f58c8
MD5: d7fce1ec777c917f72530f79363fc6d3
MD5: 83568d744ab226a0642233b93bfc7de6
MD5: c84b1bd7c2063f34900bbc9712d66e0f
MD5: 58baa919900656dacaf39927bb614cf1
MD5: a86e97246a98206869be78fd451029a0
MD5: 70a0894397ac6f65c64693f1606f1231
MD5: f9166237199133b24cd866b61d0f6cca
MD5: 0f24ad046790ee863fd03d19dbba7ea5


Based on the latest performance metrics for the campaign, over 190,000 users have already interacted with this sub-campaign, since 4th of December, when I initially analyzed the primary campaign.


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new developments take place. Continue reading →

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

December 04, 2013

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1


Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi


Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):





The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.




The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately. Continue reading →

Malware-Serving "Who's Viewed Your Facebook Profile" Campaign Spreading Across Facebook

June 10, 2013

A currently ongoing Facebook spreading malware-serving campaign, entices users into downloading and executing a malicious executable, pretending to be a "Who's Viewed Your Facebook Profile" extension. In reality though, the executable, part of a campaign that's been ongoing for several months, will steal private information from local browsers, will auto-start on Windows starup, and will attempt to infect all of the victim's friends across Facebook.

The executable, including several other related executables part of the campaign, are currently hosted on Google Code, and according to Google Code's statistics, one of the malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is called "Project Don't Download". Very interesting self-contradicting social engineering attempt.

Let's dissect the campaign, list the domain's portfolio used in it, provide detection rates for the malicious executables, and connect the campaign to multiple other campaigns observed in the wild over the last couple of weeks.

 

Sample redirection chain:
hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/ -> hxxp://profileste.uni.me/?skuwjjsadsuquwhdas -> hxxps://project-dont-download.googlecode.com/files/Profile%20View%20-%205v2.exe

Subdomain reconnaissance:
profilelo.8c1.net - 82.208.40.3
profileste.uni.me - 198.23.52.98
project-dont-download.googlecode.com - Email: mergimi14@live.com

Detection rate for the malicious executable: MD5: c5b2247a37a8d26063af55c6c975782d - detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs

Once executed, the sample drops the following MD5s on the affected hosts:
MD5: 3729796a618de670128e80bb750dba35
MD5: bc5ea93000fd79cf3d874567068adfc5
MD5: 3448d5a74e86fdc88569df99dbc19c55
MD5: c3c67c3df487390dfdfa4890832b8a46
MD5: 161fff31429f1fcd99a56208cf9d2b58
MD5: c8dfbeb2e89a9557523b5a57619a9c44
MD5: b83d2283066c68e8cc448c578dd121aa
MD5: 0e254726843ed308ca142333ea0c5d28
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd
MD5: a3ef72a0345a564bde3df2654f384a21
MD5: 123c9d897b74548aa6ce65b456a8b732
MD5: 181f01156f23d4e732a414eaa2f6b870
MD5: 74d4b4298bc6fe8871ad1aa654d347c6



Download statistics for the malicious executables hosted on Google Code:
Profile Viewer - 5.exe - 1,870,788 downloads
Profile Stalker - V.exe - 45983 downloads
Profile View - 5v2.exe - 9496 downloads
Profile Stalker - D.exe - 2 downloads

Detection rates for the malicious executables hosted on Google Code:
Profile Stalker - D.exe - MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL
Profile Stalker - V.exe - MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT
Profile Viewer - 5.exe - MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out of 47 antivirus scanners as Troj/Agent-ABOE

Samples phone back to the followind URLs/domains:
hxxp://stats.app-data.net/installer.gif?action=started&browser=ie6&ver=1_26_153&bic=00A473047B09414785A7A54908970321IE&app=30413&appver=0&verifier=d3459d462f931be10f76456d86fe24d5&srcid=0&subid=0&zdata=0&ff=0&ch=0&default=ie&os=XP32&admin=1&type=1&asw=0

stats.app-data.net - 207.171.163.139
app-static.crossrider.com - 69.16.175.10
errors.app-data.net - 207.171.163.139

Facebook and Google have been notified.

Updates will be posted as soon as new developments take place. Continue reading →
Subscribe to: Comments (Atom)