This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:
From: Facebook [[email protected]]
Date: 19 August 2013 17:38
Subject: You requested a new Facebook password
Hello,You recently asked to reset your Facebook password.
Click here to change your password.
Didn’t request this change?
If you didn’t request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js
The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).
Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com
frankcremasco.com
Leave a reply
