Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Intersting Facebook SPAM SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Intersting Facebook SPAM

Facebook is kind of training its user base that it is OK to click on links in emails, as long as they look like pretty buttons.  When there is a friend request, or a comment has been added, in the interest of making sure that you get the message it is emailed. It was probably only a matter of time before Facebook like SPAM/PHISH email started arriving. 

When I received the following, I must confess I nearly clicked it automatically, before I noticed the actual link.

When I did click the link, I got a second surprise.  To be honest I was expecting a facebook login page, failing that I was expecting malware, but what I ended up with was this. Plain old SPAM

Not terribly exciting I agree. What caught my eye however was that the SPAM email looked darn close to the real thing, the emails Facebook users get every day.  

If you have a user base that uses Facebook, you may wish to bring this to their attention.  At the moment it is only SPAM, but it doesn't have to be.

If you are into blocking, this particular SPAM run ends up on 115.145.129.35 (South Korea), loads medicalaf.ru (In China) which redirects to cvecpills.com (In Romania). Not a bad method to get some distance between the emil and the eventual landing page.  Allows them to switch targets easily.

Mark H - Shearwater

 

Mark

391 Posts
ISC Handler
Good Job,Mark H.
Anonymous
FAQ: "i" before "e", except after "c"!

Spammers are getting better at using spell checkers, but apparently they are still not standard equipment in the spammer's toolkit!
Paul

44 Posts
The culprit behind this is probably the new kid on the block.. The original Storm, then Waledac, now ??who knows?? has been resurrected and is no doubt pushing the classic pharmacy SPAM to a screen near you, while stealing email login info at the same time to further itself. This time the bot means business. Has anyone detected how this critter connects to C+C?
Al of Your Data Center

80 Posts
recently I received several phishing mails which pointed to an empty page (accessed with curl). The only content was a refresh statement to the same page. Only when I sent a referrer indicating that I came from the same I saw the whole beauty. Seems that content was only delivered if the referrer pointed to it self. Nice way to block automatic malware pullers. Haven't seen that discussed so I thought it might be interesting.
Al of Your Data Center
3 Posts
I have seen a few Twitter spams as well that are structured very similarly saying you have "1 lost direct message"... etc..
Travis

1 Posts

Sign Up for Free or Log In to start participating in the conversation!