Phishing Campaign Spreading Across Facebook

Phishers have once again indicated their interest in obtaining fresh passwords for social networking sites, by using the already hacked accounts there in order to social engineer the account holder's friends that the phishing links they leave as comments are legitimate. This latest internal phishing campaign circulating across Facebook, is a part of a bigger phishing operation, whose reliance on fast-fluxed domains used in the campaign indicates it's a part of a botnet.

Sample messages spammed across Facebook :

"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)"

"i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)...her profile is"

"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P her profile is"

Sample phishing URLs and fast-flux domains from this campaign :

- facebook.com.profile.id.ep7vu2.749e92q.916ad771.info/facebook/index.php?id=f543li12

- facebook.com.profile.id.mgt9fr5n.mg6qdo.e77c98037.com/facebook/index.php?id=sjv5ppwqb&auth=5086550&cyua=dm2yozoq3y

- facebook.com.profile.id.bvbu38.krpz.dortos.net/facebook/index.php?id=y39zjy4c6&auth=462&cyua=2wr8tckkg8

- facebook.com.profile.id.10g10th3.7q342k8.31dd6db6.com/facebook/index.php?id=b36a7sh7&auth=bnspa&cyua=31064jrv8u2

1d27c9b8fb.com
31dd6db6.com
dortos.net
e77c98037.com
916ad771.info

Related phishing domains sharing fast-flux infrastructure with one another :


paypal.client-confirmation.com
acznc84.com
ccitu938.com
e77c98037.com
ccitu938.com
civvi05.com
client29184146.com
cnzu390.com
d71adb12.com
dd25d624.com
f009c270.com
fzkgoo6.com
lvozx90.com
r8t0p0l4.net
2j1f.com
31c5f18a7f.com
3h8ax3.com
4442852.com
47cx972x.com
72195e6.info
aur83jf82la.com
f80a5b31be7.com
gllofj8532.com
3h8ax3.com
47cx972x.com
aur83jf82la.com
client1874741.com
client1929848.com
client9994414.com
ringbe.com
ringbean.com
ringwe.com
xctiw4.com

They also seem to be in a process of diversifying the social networks to be attacked, having Hi5 in mind - hi5.com.profile.id.yijs.dcrt.1d27c9b8fb.com/hi5/?id=chrislef&auth=rwx&cyua=albumem

Related posts:
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles

Fake Celebrity Video Sites Serving Malware

With blackhat search engine optimization tactics clearly converging with social engineering, the result of which is the increasing supply of Zlob malware variants served as fake codecs, it's about time we spill some coffee on several campaigns in order to get a better understanding of the way the campaigns function.

These campaigns are also starting to get so sophisticated, that analyzing a single one will expose another massive SQL injection, reveal several blackhat SEO domain farms, let you obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue software if you manage to expose the entire scammy ecosystem through all the redirections put in place to make it harder to get to the bottom of it.

What's important to keep in mind when assessing and shutting down such comprehensive campaigns is that on the majority of occassions the front end domains as well as the secondary ones are all attempting to download the codecs from hardcoded locations. Consequently, you have 50 front end domains and another 50 as secondary redirection points all attempting to download the codecs from 3 download locations. Once again, the malware authors efficiency centered mentality emphasising on the easy of management for the campaign is making it possible to.

Here's are some currently active fake celebrity video sites serving malware including the codec redirectors :

stillnaked.net
funkytube.net
starvid.info
yetmorefun.net
hotnudity.net
alreadynude.com
celebvids.info
sexystar.name
hotserved.net
thestars2008.com
nudde.net
gottabigfuick.com
moviecity.se
gossip-starz.com
tmz-video.com
js0.info
superfakamyvideo.com
hdavidz.com
blog-x.in
tmz-video.com
newhotpeople.com
dirty-gossips.com
flaxxvid.com
videoid.info
realvideofree.com
yetmorefun.net
popvids.info
ihavewetfuckpussy.com
virus-scanonline.com
adultx2008.com
lux-software2008.com

As well as some sample subdomains for traffic acquisition purposes, since all of these have already been crawled by search engines :

jodie.popvids.info
jessica.popvids.info
tila.popvids.info
paris.celebvids.info
vanessa.celebvids.info
britney.nudde.net
paris.nudde.net
kardashian.nudde.net
vanessahudgens.yetmorefun.net
lindsaylohan.yetmorefun.net
britneyspears.yetmorefun.net
parishilton.yetmorefun.net
kardashian.nudde.net

We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com we have an injected redirector - js0.info/?s=16&k=pedophile+sex+stories&c=5 and js0.info itself is a blackhat SEO operation that's aggregating generic search traffic like this :

js0.info/16/5/ragnarok+hentai
js0.info/15/4/antivirus+characteristic
js0.info/16/5/msn+monkey
js0.info/15/4/airplus+internet+security

Once accessed, you get redirected to through two separate redirection campaigns at searchaw.info/sa/in.cgi?16; and hmel.info/stds13/go.php, until you finally get to the codecs.

With blackhat SEO-ers already well developed inventory of topical junk content, and experience in what's popular content and what's not, the entry barriers for malware authors into the traffic acquisition joys of blackhat SEO has never lower.

The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

Just like you have sophisticated cyber criminals trying to scam wannabe cyber criminals by providing them with backdoored web malware exploitation kits and phishing pages, you have cyber criminals looking for ways to obtain access to the most popular exploitation kits and bankers malware C&Cs by finding vulnerabilities within them.

Apparently, Zeus, the crimeware kit which I discussed in a previous post, is susceptible to a remotely exploitable vulnerability according to a proof of concept code I obtained recently . The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, "Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information".

The implications of this flaw are huge, since, what used to be the practice of hijacking someone's misconfigured botnet a couple of years ago, is today's hijacking of the malware campaigns's command and control interface, which on the majority of occasions is left accessible to everyone - including independent researchers and the security community.

Picture the following situation - right before the Russian Business Network "disappeared", it threatened to sue Spamhaus for blacklisting most of its old infrastructure, what would happen if the security community starts unethically pen-testing the RBN's infrastructure, and remotely exploit misconfigured Zeus C&Cs in order to estimate the number of infected hosts and the type of stolen data in order to communite its findings to the appropriate parties on all fronts? If the RBN starts suing for getting unethically pen-tested, it would automatically claim ownership of, well, the Russian Business Network's infrastructure which you must be pretty familiar with by now.

Moreover, can we even dare to speculate on the existence of monoculture in crimeware software? You bet, and finding vulnerabilities within popular crimeware kits and web malware exploitation kits is only starting to emerge, a situation where the market share of a certain kit would attract the most vulnerability research.

Malicious Doorways Redirecting to Malware

This summary is not available. Please click here to view the post.

Monetizing Web Site Defacements

What used to be a harmless web site defacements back in the old school days, is today's ongoing monetization of defaced web sites, a logical development given the consolidation between different underground parties, evidence of which can be seen in the majority of incidents I've been analyzing recently.

The Africa Middle Market Fund' site is the latest example of a web site defacer is abusing the access to the web server to generate and locally host blackhat SEO pages, which when once access only by searching for the keywords and consequently returning 404 if traffic isn't coming from a search engine, redirect to known rogue security software, in this case, the XP antivirus protection (securityscannersite.com) which you must be familiar with if you were following the assessments of the massive IFRAME SEO poisoning attacks that took place during March this year. More about the found :

"The Africa Middle Market Fund is a private capital fund that invests in small and medium sized African businesses who need from $500,000 up to $2 million to grow and succeed to their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that we care equally about financial performance and social benefit. We are for-profit and insist on our investees employing world standards of financial and business management to maximize their chances of success"

Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point to 23search.org, which is an invitation-only affiliate based network for traffic exchange, connecting different malicious parties together :

"What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money!"

The session is then redirected to drivemedirect.com/soft.php?aid=0195&d=3&product=XPA, as well as to drivemedirect.com/soft.php?aid=0263&d=2&product=XPC to ultimately redirect the user to online-xpcleaner.com/2/freescan.php?aid=880263

Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive techniques to make it harder to analyze them. In this particular campaign for instance, only traffic comming from search engines would get the chance to see the SEO page due to the use of document.referrer tags. Here are some sample monitization practices from what I've seen between the lines of recently defaced sites :

- installing web backdoors and reselling the access to phishers, spammers and malware authors who would have full control over the content, and can therefore do whatever they to with the web server

- installing web based spamming tools that later on will be either used directly by the defacers, or access to the tools sold to those interested in using them

- participating in an affiliate based blackhat SEO networks, where revenue coming of the victims who installed the rogue software is shared among the defacer and the affiliate based network, which doesn't really care how and where is all the traffic coming from

- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting them locally in between sending the phishing emails again using the same host

- selling the access by promoting it based on its page rank

Web site defacements in times when traffic suppliers are efficiently coordinating campaigns with traffic seekers, will mature into a tool for providing malicious infrastructure on demand, just like botnets did. Then again, the endless possibilities provided by insecure web applications are already blurring the lines between web site defacements and SQL injections.

Related posts:
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists
Blackhat SEO Campaign at The Millennium Challenge Corporation
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam

Fake YouTube Site Serving Flash Exploits

Originally mentioned by the folks at Sunbelt, this fake YouTube site happens to be a bit more interesting than it seems at the first place :

"Clicking on that link then redirects to a different site, youtube-s, which serves exploits to attempt to infect your system. Then, if your browser hasn’t completely crashed at that point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (hence, possibly even helping to continue the infection, by having users forward the spam above)"

Interesting mostly because it not just attempts to serve a online games password stealer through exploiting the ubiquitous MDAC exploit, but is also serving a flash exploit which when analyzed leads us to a web based C&C of new malware kit. And although I've been aware of its existence for a while now, it's the first time I see it in action.

Upon analyzing youtube-r.com (211.95.79.57) a couple of days ago, it's now returning a 403 forbidden message, however, copies of the malware have already been obtained and analyzed. In between attempting to infect with MDAC at youtube-s.com/load.php?id=912; the flash exploit loads from a9rhiwa.cn/update_files/1.swf, and while this is happening the end user is redirected to the real YouTube site. Some sample detection rates :

Scanners result : 7/32 (21.88%)
TR/Crypt.ULPM.Gen; Mal/EncPk-CO
File size: 8704 bytes
MD5...: cb8611db343067e1fb663ab6ee671114
SHA1..: 4497715e0a365863d6ca41ab12254bf591118ed7

Scanners result : 10/32 (31.25%)
SWF:CVE-2007-0071; Exploit:Win32/APSB08-11.gen!A
File size: 593 bytes
MD5...: 5b6b28d4de3df92f48fbe5e8bd565cda
SHA1..: 3123d357d2080d1ee09ee67203275d51332e3397

The password stealer than connects to the C&C, from where an unknown for the time being number of campaigns are coordinated. What's a useless virtual good such as passwords for MMORPGs for malware gangs aiming to steal Ebanking details through banking malware for instance, is a precious and valuable good for others operating on the other side of the world, where a virtual item is more expensive than access to an Ebanking account.