Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas
Find more pages
�
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Apparently all these people look alike:
[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js
from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org
2 comments:
More here:
- https://www.virustotal.com/en-gb/ip-address/50.2.138.161/information/
.
Most of the "three scripts" sites I have encountered in the past were variants on the Blackhole exploit.
Post a Comment