Thursday, May 29, 2014

A Social Facebook Phish - is your friend acting strange?

I'm always proud when my students do a great write up on a new attack, and doubly so when that analysis comes from my nephew, Chris Warner!

Chris was logged in to Facebook today when one of his friends started chatting with him. It was pretty obvious to Chris that his friend had been the victim of an Account Takeover (ATO) and thta he was really chatting with a criminal who was inviting him to visit a Facebook phishing site. Chris gathered up an evidence package and submitted it to IC3.gov with his analysis prior to contacting me. With his permission, I'm sharing what he saw (editing his friend's identity out for her privacy.)

Original URL user sees is of the format:

http://(USER FIRST NAME)-photos.uglyfacebookpeople,commm

URL is intentionally messed up, presumably to avoid detection by Facebook systems.

URL redirects to http://accounts.login.userid.266765.facebooclk.com/lp/fbn/?next=http%3A%2F%2F%2videos%2F%3AJ%4ID%1A

Action file is security.php

Following the action file results in visiting accounts.login.userid.497031.facebooclk.com/blam/

Which directs you to a "Flash Player Update" site that I assume is a virus. http://198.52.200.49/install_flashplayer13x32_mssd_aaa_aih.ex

There are other files that were on the site, but it is down now.

WHOIS INFO(SAME FOR FACEBOOCLK.COM AND UGLYFACEBOOKPEOPLE.COM):

Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID: DI_36635864
Registrant Name: Dave Brider
Registrant Organization: none
Registrant Street: 505 45th st   
Registrant City: new york
Registrant State/Province: New York
Registrant Postal Code: 10003
Registrant Country: US
Registrant Phone: +1.6463392283
Registrant Email: yogurtman7@mail.com
Registry Admin ID: DI_36635864
Admin Name: Dave Brider
Admin Organization: none
Admin Street: 505 45th st  
Admin City: new york
Admin State/Province: New York
Admin Postal Code: 10003
Admin Country: US
Admin Phone: +1.6463392283
Admin Email: yogurtman7@mail.com
Happy hunting!

--Chris Warner


Thanks, Chris! You did a great job on that write-up! Hope it helps save someone from being a victim!!

2 comments:

  1. The whois street address is bogus, for whatever that's worth.

    ReplyDelete
  2. this just happened to me today

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.