Facebook phishing using Belgium (.be) domains

Published: 2009-05-24
Last Updated: 2009-06-03 16:20:58 UTC
by Raul Siles (Version: 6)
2 comment(s)

This is not new or exciting, but as we have received several reports during the weekend (thanks to all that wrote in - Kevin, Mike, Rick), you all should know what is going on. It seems a new Facebook phishing/spam campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.

UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse to them unless you know what you are doing!

UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links (thanks Charlie). For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be". Remember you can enable/disable the tinyurl preview feature through "http://tinyurl.com/preview.php". You just need to enable cookies on your browser.

Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved).

UPDATE 1: Other domains: areps dot at, greenbuddy dot be (Thanks Derek)

UPDATE 2: You can check the owner of Belgium domains through www.dns.be (the whois search is on the top-right corner).

Just to provide a couple of examples, the greenbuddy dot be and redfriend dot be domains were registered on May 22, and the last update was May 24, by:

Name Andrey Sokolovsky
Language English
Address ...
Email ...

The redbuddy dot be was registered on May 21, last updated May 24 (both from people on the ".at" domain):

Name Petr Anisimov
Language English
Address ...
Email ...

UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET) - thanks Kevin and Greg:

  • redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
  • picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
  • There are other "more than suspicious" .be domains associated to the same IP address

The ones active do resolve to IP address 211.95.78.98. From APNIC:

inetnum:      211.90.0.0 - 211.97.255.255
netname:      UNICOM
descr:        China United Telecommunications Corporation
descr:        No.133,Taiyun Building,Xidan North Street
descr:        Xicheng District,Beijing,China
country:      CN
admin-c:      JY1446-AP
tech-c:       JY1446-AP
mnt-by:       MAINT-CNNIC-AP
mnt-lower:    MAINT-CNNIC-AP
mnt-routes:   MAINT-CNNIC-AP
status:       ALLOCATED PORTABLE
changed:      ipas@cnnic.cn 20070731
changed:      hm-changed@apnic.net 20070802
source:       APNIC

It's recommended to filter access to all them (and the others coming)!

--
Raul Siles
www.raulsiles.com

Keywords: Facebook phishing
2 comment(s)

Comments

I got this in a message on facebook: "wwww whiteflash be". Facebook deleted the message themselves and when I go to the URL Firefox reports it as a forgery.
URL redirectors such as tinyurl have email addresses where said redirects can be shut down, and relatively fast. This isn't true for all of them, but a majority of the public ones have this option.

Diary Archives