Sponsored by..

Thursday 8 August 2013

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:      Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:      Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:      Doug Bernal wants to be friends with you on Facebook.
   
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal
   
Hyo Auiles
Gigi Arvay
   
Hester Brush
Lesa Bueschel
   
Crawford Eredia
Casey Elting
   
Delfina Grode
Deandrea Grise
   
Tori Circle
Austin Chum
Find more pages
         
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Doug is quite a feminine looking bloke:


Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com



No comments: