Facebook phishing using Belgium (.be) domains
Last Updated: 2009-06-03 16:20:58 UTC
by Raul Siles (Version: 6)
This is not new or exciting, but as we have received several reports during the weekend (thanks to all that wrote in - Kevin, Mike, Rick), you all should know what is going on. It seems a new Facebook phishing/spam campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.
UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse to them unless you know what you are doing!
UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links (thanks Charlie). For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be". Remember you can enable/disable the tinyurl preview feature through "http://tinyurl.com/preview.php". You just need to enable cookies on your browser.
Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved).
UPDATE 1: Other domains: areps dot at, greenbuddy dot be (Thanks Derek)
UPDATE 2: You can check the owner of Belgium domains through www.dns.be (the whois search is on the top-right corner).
Just to provide a couple of examples, the greenbuddy dot be and redfriend dot be domains were registered on May 22, and the last update was May 24, by:
The redbuddy dot be was registered on May 21, last updated May 24 (both from people on the ".at" domain):
UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET) - thanks Kevin and Greg:
- redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
- picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
- There are other "more than suspicious" .be domains associated to the same IP address
The ones active do resolve to IP address 188.8.131.52. From APNIC:
inetnum: 184.108.40.206 - 220.127.116.11 netname: UNICOM descr: China United Telecommunications Corporation descr: No.133,Taiyun Building,Xidan North Street descr: Xicheng District,Beijing,China country: CN admin-c: JY1446-AP tech-c: JY1446-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE changed: firstname.lastname@example.org 20070731 changed: email@example.com 20070802 source: APNIC
It's recommended to filter access to all them (and the others coming)!
May 25th 2009
1 decade ago
Jun 3rd 2009
1 decade ago