Sponsored by..

Monday 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:      Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Willie Powell wants to be friends with you on Facebook.

interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell
Bao Aguliar
Bibi Akel
Eleanora Casella
Murray Carsten
Jordana Fiqueroa
Jona Fiorelli
Leisha Heape
Lacresha Hautala
Monnie Carrillo
Missy Carreiro
find more pages
go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303
Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:

No comments: