Thursday, May 29, 2014

A Social Facebook Phish - is your friend acting strange?

I'm always proud when my students do a great write up on a new attack, and doubly so when that analysis comes from my nephew, Chris Warner!

Chris was logged in to Facebook today when one of his friends started chatting with him. It was pretty obvious to Chris that his friend had been the victim of an Account Takeover (ATO) and thta he was really chatting with a criminal who was inviting him to visit a Facebook phishing site. Chris gathered up an evidence package and submitted it to with his analysis prior to contacting me. With his permission, I'm sharing what he saw (editing his friend's identity out for her privacy.)

Original URL user sees is of the format:

http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm

URL is intentionally messed up, presumably to avoid detection by Facebook systems.

URL redirects to

Action file is security.php

Following the action file results in visiting

Which directs you to a "Flash Player Update" site that I assume is a virus.

There are other files that were on the site, but it is down now.


Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: DI_36635864
Registrant Name: Dave Brider
Registrant Organization: none
Registrant Street: 505 45th st   
Registrant City: new york
Registrant State/Province: New York
Registrant Postal Code: 10003
Registrant Country: US
Registrant Phone: +1.6463392283
Registrant Email:
Registry Admin ID: DI_36635864
Admin Name: Dave Brider
Admin Organization: none
Admin Street: 505 45th st  
Admin City: new york
Admin State/Province: New York
Admin Postal Code: 10003
Admin Country: US
Admin Phone: +1.6463392283
Admin Email:
Happy hunting!

--Chris Warner

Thanks, Chris! You did a great job on that write-up! Hope it helps save someone from being a victim!!


  1. The whois street address is bogus, for whatever that's worth.

  2. this just happened to me today

  3. Thanks, Chris! You did a great job on that write-up! Hope it helps save someone from being a victim!!

  4. Just encountered a variant of this. Phished accounts are tagging friends in comments on a link to the phishing site.

    Leads to with the same fake login page.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.