Sponsored by..

Monday 2 September 2013

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status

facebook
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute;)"

Go to comments

Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js

These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.

Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com

codebluesecuritynj.com
mobileforprofit.net
tuviking.com





No comments: