Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: You requested a new Facebook password
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js
The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.
1 comment:
More info:
- https://www.virustotal.com/en/ip-address/162.216.18.169/information/
.
Post a Comment