What the Facebook Phishing spam messages do..

If you are a Facebook user you have probably seen one of these appear on someone’s time line.

facebook phishing spam

In this case they link yuo to http://goo.gl/dKsbKb which then, in this instance, sends you onto:

http://37d44346f.adviceesan.com/imagesnews-2015/image-8bc987c_556f9d400361.jpeg

Which then sends you on to:

http://5kvvnv.advicekh.com/explore-09/

The first section, 5kvvnv, is random and can be anything. The second part, advicekh, sometimes changes to another domain advicekcs.com instead.

On that page you are asked to “log into facebook”.

If you do.. it will accept your username and password and check if it is valid. If it is invalid you will be presented with an invalid message on the phishing page and asked to try again!

facebook phishing ajax

If you provide valid details the phishing site goes off and connects to some other part of their scam infrastructure and logs into Facebook supposedly using “Facebook for Android” and.. quite interestingly.. from the valid and genuine IP addresses of two different mobile network providers.
They don’t just attempt the connection from the same server hosting the phishing site.

82.132.247.101 “dab-rcn1-h-25-9.dab.02.net” (The O2 network in the UK)
213.205.251.23 (The EE network (aka. T-mobile & Orange) in the UK)

facebook suspicious logins

I can only assume they fake the Facebook app (or have shoehorned their way into it somehow) and use a known mobile internet access IP to prevent facebook from thinking that it should challenge for more authentication information.

I’d love to see how the hackers handle their infrastructure and route requests via a phone or computer on a mobile network. Do they just proxy via a load of infected or hacked phones? Do they have a professional setup with a mobile broadband connection on a dedicated computer?

Their system seems to fall over if you turn on the 2nd factor authentication (Login codes!) to send you a SMS or use an app to generate a code. This is worth enabling and seems to protect your account:

https://www.facebook.com/settings?tab=security§ion=approvals&view

phishing prevented with login code enabled

Yet the phishing page continues on as if it had worked.. I guess they only check for a password rejection and don’t detect if a challenge / authentication code is asked for.

More information about the hosting infrastructure.

All the phishing domains seem to use
Name Server: NS1.ADVICE-COMPUTER.COM
and
Name Server: NS2.ADVICE-COMPUTER.COM

These nameservers have at least 367 domains registered to them in the past all with similarly spammy names to the original phishing urls. Here are just a few:

http://advice-samrong.com/
http://advice-saraburi.com/
http://advice-surat.com/
http://advice-trat.com/
http://advice-uthai.com/
http://advice-yaso.com/
http://advice-zeer.com/
http://advice.co.th/
http://advice.in.th/
http://itsystemrayong.com/
http://itt.in.th/
http://kingcom.in.th/
http://korat.theadvantage.co.th/
http://kvcsupply.com/
http://ladycorner.co.th/
http://maesai-it.com/
http://www.advicehadyai.com/
http://www.advicehatyai.com/
http://www.adviceinfonet.com/
http://www.adviceitcpn.com/
http://www.advicekalasin.com/
http://www.advicekan.com/
http://www.advicekan1.com/
http://www.advicekorat.com/
http://www.nutdotcom.net/
http://www.pantiphuahin.com/
http://www.pataracomputer.in.th/
http://www.pcmycom.co.th/
http://www.permboon.com/
http://www.pkcom.co.th/
http://www.ptwsystem.com/
http://www.ranongadvice.com/

Quite some operation. I wonder what their end game is.. just a spider of further phishing doesn’t seem valuable. Possibly trying to track down people who are owners or admins on very popular “facebook places / pages” ? I would love a glimpse into the minds and systems of these people.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to What the Facebook Phishing spam messages do..

  1. Hi – I’ve been browsing your blog a bit. Very cool, interesting reading.

    Thanks, R.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s