Following to the Osama's Spam spreads to Facebook, we also saw link that lead to similar pages being distributed through Facebook Chat. This time the chat message appeared with "See who views your profile @ facebook.com/pages/See-Who-Viewed-Your-Profile/20xxxxxxxx?"
Once clicked on that link, it will redirecting victim to following page that is shown like below. Followed the given instructions will leads victim to another survey page. If noticed closely, "4532.36.TK/verify.js" is the JavaScript used to trigger Survey Pop Up and some spam posted to victim Facebook profile.
Code:
Without surprise, malicious script submitted to Virustotal has return with no detection. (0.0%)
filename: verify.js
Hash: c96ad917af8c7a32e17f0c8e65d94444c6ee2777 (SHA1)
Victim are instructed to response with the survive in-order to proceed to watch video that shown at background. From the links which end with *.mobi, so obvious they are targeting mobile users too.!
Suspicious links:
hxxxp://453236.tk/verify.js
hxxxp://ow.ly/4LNpd
hxxxp://clickily.ws/zyaeom
hxxxp://www.mytimecount.info/red.php
hxxxp://impressionvalue.mobi/gwjs.php?
hxxxp://impressionlead.com
hxxxp://www.impressionvalue.mobi
hxxxp://impressionlead.com/
hxxxp://www.wixawin.com/pages/default.aspx?
hxxxp://www.gbstrax.com/
hxxxp://v2.ringaling.tv/
hxxxp://ad.mozzi.biz/index.php?
184.107.51.109
coolrevenge.info
loveme71.tk
69.197.155.190
mytimecount.info
72.32.87.240
bannersurvey.biz
clickperformance.net
impressionaffiliate.com
impressionaffiliate.mobi
impressionlead.com
impressionperformance.biz
impressionpromotion.info
impressionwidget.net
impressionvalue.mobi
194.140.230.92
funclub-brasil.com
maxitext-brasil.com
srv1.wixawin.com
txt-services.com
www.funclub-brasil.com
www.wixawin.com
78.136.0.178
cheapquote4.co.uk
whooshuk.co.uk
www.dvd-movie-sale.co.uk
www.entertainmentuk.com
www.shopperuk.co.uk
www.shopperuk.com
210.5.44.232
mozzi.biz
www.mozzi.biz
0 comments:
Post a Comment