Sponsored by..

Monday, 29 July 2013

Facebook spam / happykido.com

This fake Facebook spam leads to malware on

Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Betsy Wells
Betsy Wells
   
Baldric Aguino
Astrid Aggas
   
Deloris Bransfield
Perdita Brantz
   
Danelle Erstad
Daphne Escamilla
   
Giovanna Hadesty
Georgeann Habel
   
Hugh Campisi
Jake Callas
Find more pages
    �    
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Apparently all these people look alike:

This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:

[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js

from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.

Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org


2 comments:

PC.Tech said...

More here:

- https://www.virustotal.com/en-gb/ip-address/50.2.138.161/information/

.

Robin Norris said...

Most of the "three scripts" sites I have encountered in the past were variants on the Blackhole exploit.