Spamvertised ‘Confirmed Facebook Friend Request’ Themed Emails Serve Client-Side Exploits

A currently circulating malicious spam campaign, entices users into thinking that they’ve received a legitimate ‘Friend Confirmation Request‘ on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular.


Client-side exploits serving URL:
hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f


Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab – detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj

Domain name reconnaissance:
facebook.com.n.find-friends.lindoliveryct.net – 66.230.163.86; 95.111.32.249; 188.134.26.172 – Email: zsupercats@yahoo.com

Responding to the same IPs (66.230.163.86; 95.111.32.249; 188.134.26.172) are also the followig malicious domains:
actiry.com – Email: stritton@actiry.com
askfox.net – Emai: bovy@askfox.net
bnamecorni.com
briltox.com – Email: lyosha@briltox.com
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su – Email: mipartid@gmx.com
evishop.net – Email: hardwicke@evishop.net
exnihujatreetrichmand77.net
gondorskiedelaahuetebanj88.net
gotoraininthecharefare88.net
liliputttt9999.info – Email: dolgopoliy.alexei@yandex.ru
lucams.net – Email: renault@lucams.net
micnetwork100.com – Email: 369258wq@sina.com
musicstudioseattle.net- Email: rexona1948@live.com
nvufvwieg.com – Email: 369258wq@sina.com
partyspecialty.su – Email: mipartid@gmx.com
pinterest.com.onsayoga.net
quill.com.account.settings.musicstudioseattle.net
seoworkblog.net – Email: mendhamnewjersey@linuxmail.org
seoworkblog.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com – Email: 369258wq@sina.com
vip-proxy-to-tor.com

Name servers used in these campaigns:
Name Server: NS1.TEMPLATESWELL.NET – 94.249.254.48 – Email: freejob62@rocketmail.com
Name Server: NS1.THEGALAXYATWORK.COM – 94.249.254.48 – Email: samyideaa@yahoo.com
Name Server: NS1.MOBILE-UNLOCKED.NET – 91.227.220.104 – Email: usalifecoach47@mail.com
Name Server: NS2.MOBILE-UNLOCKED.NET – 32.100.2.98
Name Server: NS1.KNEESLAPPERZ.NET
Name Server: NS1.MEDUSASCREAM.NET – 37.247.108.250 – Email: m_mybad@yahoo.com
Name Server: NS1.CREDIT-FIND.NET – 194.209.82.222 – Email: mendhamnewjersey@linuxmail.org
Name Server: NS1.GONULPALACE.NET – 194.209.82.222 – Email: mitinsider@live.com
Name Server: NS1.NAMASTELEARNING.NET – 93.178.205.234 – Email: minelapse2001@outlook.com
Name Server: NS2.NAMASTELEARNING.NET
– 205.28.29.52

The following malicious MD5s are also known to have phoned back to the same IPs/were downloaded from the same IPs in the past:
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f507b822651d2fbc82a98e4cc7f735a2
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f88d6a7381c0bbac1b1558533cfdfd62
MD5: 11be39e64c9926ea39e6b2650624dab4
MD5: ea893fb04cc536ff692cc3177db7e66f
MD5: c8f8b4c0fced61f8a4d3b2854279b4ef
MD5: 93bae01631d10530a7bac7367458abea
MD5: 199b8cf0ffd607787907b68c9ebecc8b
MD5: 6b1bef6fb45f5c2d8b46a6eb6a2d5834
MD5: 9eb6ed284284452f7a1e4e3877dded2d
MD5: efacf1c2c6b33f658c3df6a3ed170e2d
MD5: 7c70d5051826c9c93270b8c7fc9d276f
MD5: dcb378d6033eed2e01ff9ab8936050a0
MD5: 8556f98907fd74be9a9c1b3bf602f869

Updates will be posted as soon as new developments take place.

Leave a Reply

Your email address will not be published. Required fields are marked *

Unit-123.org E-shop Owner Information

Who is Dancho Danchev?

Unit-123.org

Focused on delivering daily batches of personally-produced never-ending supply of high-quality and never-published and released before classified and sensitive Intelligence Deliverables.

Latest Products