This fake Facebook spam leads to malware on
Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas
Find more pages
�
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Apparently all these people look alike:
This is a “ThreeScripts” attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js
from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org
Leave a reply
