Sponsored by..

Monday 29 July 2013

Facebook spam / happykido.com

This fake Facebook spam leads to malware on

Date:      Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From:      Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject:      Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Betsy Wells
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas
Find more pages
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Apparently all these people look alike:

This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:


from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.

Recommended blocklist:


PC.Tech said...

More here:

- https://www.virustotal.com/en-gb/ip-address/


Kitten Herder said...

Most of the "three scripts" sites I have encountered in the past were variants on the Blackhole exploit.