This fake Facebook spam leads to malware on nphscards.com:
Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]
From: Facebook [[email protected]]
Subject: You requested a new Facebook password
Hello,You recently asked to reset your Facebook password.
Click here to change your password.
Didn’t request this change?
If you didn’t request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js
The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.
Leave a reply
