Chris was logged in to Facebook today when one of his friends started chatting with him. It was pretty obvious to Chris that his friend had been the victim of an Account Takeover (ATO) and thta he was really chatting with a criminal who was inviting him to visit a Facebook phishing site. Chris gathered up an evidence package and submitted it to IC3.gov with his analysis prior to contacting me. With his permission, I'm sharing what he saw (editing his friend's identity out for her privacy.)
Original URL user sees is of the format:
http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm
URL is intentionally messed up, presumably to avoid detection by Facebook systems.
URL redirects to http://accounts.login.userid.266765.facebooclk.com/lp/fbn/?next=http%3A%2F%2F%2videos%2F%3AJ%4ID%1A
Action file is security.php
Following the action file results in visiting accounts.login.userid.497031.facebooclk.com/blam/
Which directs you to a "Flash Player Update" site that I assume is a virus. http://18.104.22.168/install_flashplayer13x32_mssd_aaa_aih.ex
There are other files that were on the site, but it is down now.
WHOIS INFO(SAME FOR FACEBOOCLK.COM AND UGLYFACEBOOKPEOPLE.COM):
Registrar Abuse Contact Phone: +1-2013775952 Domain Status: clientTransferProhibited Registry Registrant ID: DI_36635864 Registrant Name: Dave Brider Registrant Organization: none Registrant Street: 505 45th st Registrant City: new york Registrant State/Province: New York Registrant Postal Code: 10003 Registrant Country: US Registrant Phone: +1.6463392283 Registrant Email: email@example.com Registry Admin ID: DI_36635864 Admin Name: Dave Brider Admin Organization: none Admin Street: 505 45th st Admin City: new york Admin State/Province: New York Admin Postal Code: 10003 Admin Country: US Admin Phone: +1.6463392283 Admin Email: firstname.lastname@example.orgHappy hunting!
Thanks, Chris! You did a great job on that write-up! Hope it helps save someone from being a victim!!