If you are a Facebook user you have probably seen one of these appear on someone’s time line.
In this case they link yuo to http://goo.gl/dKsbKb which then, in this instance, sends you onto:
Which then sends you on to:
The first section, 5kvvnv, is random and can be anything. The second part, advicekh, sometimes changes to another domain advicekcs.com instead.
On that page you are asked to “log into facebook”.
If you do.. it will accept your username and password and check if it is valid. If it is invalid you will be presented with an invalid message on the phishing page and asked to try again!
If you provide valid details the phishing site goes off and connects to some other part of their scam infrastructure and logs into Facebook supposedly using “Facebook for Android” and.. quite interestingly.. from the valid and genuine IP addresses of two different mobile network providers.
They don’t just attempt the connection from the same server hosting the phishing site.
220.127.116.11 “dab-rcn1-h-25-9.dab.02.net” (The O2 network in the UK)
18.104.22.168 (The EE network (aka. T-mobile & Orange) in the UK)
I can only assume they fake the Facebook app (or have shoehorned their way into it somehow) and use a known mobile internet access IP to prevent facebook from thinking that it should challenge for more authentication information.
I’d love to see how the hackers handle their infrastructure and route requests via a phone or computer on a mobile network. Do they just proxy via a load of infected or hacked phones? Do they have a professional setup with a mobile broadband connection on a dedicated computer?
Their system seems to fall over if you turn on the 2nd factor authentication (Login codes!) to send you a SMS or use an app to generate a code. This is worth enabling and seems to protect your account:
Yet the phishing page continues on as if it had worked.. I guess they only check for a password rejection and don’t detect if a challenge / authentication code is asked for.
More information about the hosting infrastructure.
All the phishing domains seem to use
Name Server: NS1.ADVICE-COMPUTER.COM
Name Server: NS2.ADVICE-COMPUTER.COM
These nameservers have at least 367 domains registered to them in the past all with similarly spammy names to the original phishing urls. Here are just a few:
Quite some operation. I wonder what their end game is.. just a spider of further phishing doesn’t seem valuable. Possibly trying to track down people who are owners or admins on very popular “facebook places / pages” ? I would love a glimpse into the minds and systems of these people.