ISC Spotted Tumblr Pages in Facebook Phishing Campaign

According to researchers of SANS Internet Storm center (ISC), a new spam campaign purporting to come from one of the pals of a FB (Facebook) friend who's being victimized by spam email are currently spreading like wildfire on the Web.

The initial lure is a notification that one might receive from of his Facebook's friend whose account has been hijacked. The message reportedly has a link of images presenting an offense committed against the pal or a near-relative of the pal. However, the exact message varies and images claim to be housed on Tumblr, a well-known blogging web site.

The Tumblr links highlight a trend and seem to be poles apart for each receiver with the host name is constantly two or three English words in random and the hyperlink embraces some characters in random as an argument. The sample of the Tumblr web page registers some arbitrary words and diverse simple icons.

Once the recipient clicks on the URL to the Tumblr web page, immediately they are sent to a very possible Facebook phishing web page that asks the recipient to login.

Thereatpost.com published a statement on 11th December, 2013 quoting Johannes Ullrich, Chief Research Officer of SANS, as saying that the links seen till now employ the 'noxxos.pw' domain."

If the Internaut ends up on the bogus FB web page, he in that case is presented with a dialog box that asks for his username and password of his Facebook together with a 'secret question'. Ullrich said that the web site also attempts to run a Java applet that may enclose an exploit.

It directs the Internaut to a bogus YouTube web page that tells the victim to set up a hoax video player that is in actuality a downloader of malware. Ullrich noted that detection of this malware on VirusTotal is fairly low as of now with a mere 25% of anti-malware software identifying it.

Finally, Tumblr has faced similar attacks in the past with it being exploited by a worm in December 2012. Then, a computer worm spread across it (Tumblr) defacing web pages with an abusive message penned by the notorious Gay Nigger Association of America or GNAA, known group of mysterious troublemakers.

» SPAMfighter News - 12/20/2013