Facebook Phishing Campaign Employing Malicious Tumblr Pages
The general population may have had its fill of Facebook at this point, but attackers sure haven’t. There is a new round of Facebook-related spam that is using fake messages about recent crimes involving recipients’ friends as a lure to direct them to Tumblr pages serving exploits.
The campaign comprises several different individual messages purporting to come from a victim’s Facebook friends, but all of them are using some variant of the same scam. The message says that either the sender or a close friend or relative has been the victim of a crime and needs the recipient’s help. The messages include a link to a Tumblr page that supposedly shows some images of the criminals. However, the link then redirects the victim to a phishing page that is a very close approximation of the Facebook site, researchers at the SANS Internet Storm Center said.
“The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons,” Johannes Ullrich wrote in an analysis of the attacks.
“Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the ‘noxxos.pw’ domain, which uses a wildcard record to resolve to 198.50.202.224 .”
If the user ends up on the fake Facebook page, he is then presented with a dialog that asks for his Facebook username and password, along with a secret question. The site also tries to run a Java applet, which may contain an exploit, Ullrich said. That sends the user to a fake YouTube page, which asks the victim to install a fake video player, which is actually a downloader for malware. Ullrich said that detection for the malware on VirusTotal is fairly low right now, with about 25 percent of anti-malware software detecting it.
“As an indicator of compromise, it is probably best right not to look for DNS queries for ‘noxxos.pw’ as well as connections to 198.50.202.224 (which is likely going to change. The server only returns 404 errors right now),” he said.