Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Facebook phishing using Belgium (.be) domains

Published: 2009-05-24
Last Updated: 2009-06-03 16:20:58 UTC
by Raul Siles (Version: 6)
2 comment(s)

This is not new or exciting, but as we have received several reports during the weekend (thanks to all that wrote in - Kevin, Mike, Rick), you all should know what is going on. It seems a new Facebook phishing/spam campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.

UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse to them unless you know what you are doing!

UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links (thanks Charlie). For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be". Remember you can enable/disable the tinyurl preview feature through "". You just need to enable cookies on your browser.

Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved).

UPDATE 1: Other domains: areps dot at, greenbuddy dot be (Thanks Derek)

UPDATE 2: You can check the owner of Belgium domains through (the whois search is on the top-right corner).

Just to provide a couple of examples, the greenbuddy dot be and redfriend dot be domains were registered on May 22, and the last update was May 24, by:

Name Andrey Sokolovsky
Language English
Address ...
Email ...

The redbuddy dot be was registered on May 21, last updated May 24 (both from people on the ".at" domain):

Name Petr Anisimov
Language English
Address ...
Email ...

UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET) - thanks Kevin and Greg:

  • redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
  • picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
  • There are other "more than suspicious" .be domains associated to the same IP address

The ones active do resolve to IP address From APNIC:

inetnum: -
netname:      UNICOM
descr:        China United Telecommunications Corporation
descr:        No.133,Taiyun Building,Xidan North Street
descr:        Xicheng District,Beijing,China
country:      CN
admin-c:      JY1446-AP
tech-c:       JY1446-AP
mnt-by:       MAINT-CNNIC-AP
mnt-lower:    MAINT-CNNIC-AP
mnt-routes:   MAINT-CNNIC-AP
changed: 20070731
changed: 20070802
source:       APNIC

It's recommended to filter access to all them (and the others coming)!

Raul Siles

Keywords: Facebook phishing
2 comment(s)
Diary Archives