Monday 28 January 2013

"Most recent events on Facebook" spam / gonita.net

This fake Facebook spam leads to malware on gonita.net:


Date:      Mon, 28 Jan 2013 17:30:50 +0100
From:      "Facebook" [addlingabn2@bmatter.com]
Subject:      Most recent events on Facebook

facebook   
Hi [redacted],
You have disabled your Facebook account. You can reveal your account whenever you wish by logging into Facebook with your old login email address and password. After that you will be able to enjoy the site in the same way as before.
Kind regards,
The Facebook Team
   
Log in to Facebook and start connecting
Sign in

Please use the link below to resume your account :
http://www.facebook.com/resume/
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 419 P.O Box 10007 Palo Alto CA 94301

The malicious payload is at [donotclick]gonita.net/detects/sign_on_to_resume.php (report here) hosted on the well-known IP of 222.238.109.66 (Hanaro Telecom, Korea).

The following malicious domains are active on the same IP:
morepowetradersta.com
kendallvile.com
alphabeticalwin.com
ehadnedrlop.com
postofficenewsas.com
prepadav.com
masterseoprodnew.com
vespaboise.net
duriginal.net
shininghill.net
euronotedetector.net
fx-points.net
africanbeat.net
ensconcedattractively.biz
gonita.net

No comments:

Post a Comment