Sponsored by..

Friday, 6 September 2013

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:

Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From:      Facebook [notification+puppies9@mail.facebookmail.net]
Reply-To:      noreply [noreply@postmaster.facebookmail.org]
Subject:      Cole Butler confirmed your Facebook friend request

facebook
   
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
    Daren Douglas
1 mutual friends
   
Add Friend
   
    Gertrude Souza
14 mutual friends
   
Add Friend
    Brice Kelly
3 mutual friends
   
Add Friend
   
    Beverly Howard
12 mutual friends
   
Add Friend
    Julia Metz
6 mutual friends
   
Add Friend
   
    Nora Belanger
6 mutual friends
   
Add Friend
View Timeline
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations.com/news/implement-circuit-false.php (report here) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)

The following IPs and domains are all malicious and belong to this gang, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
achrezervations.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
evarse.com
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
invoices.ulsmart.net
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.facebook.com.achrezervations.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net

2 comments:

aware said...

THANKS!

I just go the virtually same e-mail from notification+yorkshireubj53@mail.facebookmail.net and that looked suspicious, being a ,net address.

I'm glad that Google already had it 23 min after your posting!!

aware said...

THANKS!

I just go the virtually same e-mail from notification+yorkshireubj53@mail.facebookmail.net and that looked suspicious, being a ,net address.

I'm glad that Google already had it 23 min after your posting!!