Computer Security Articles

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:

Image 1 – cached page sos**.com

One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:

Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure

This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

• select ‘Allow calls from people in my Contact list only’
• select ‘Show that I have video to people in my Contact list only’
• select ‘Automatically receive video and screen sharing from people in my Contact list only’
• select ‘Allow IMs from people in my Contact list only’
• unselect ‘Allow my online status to be shown on the web’

Image 2 – Skype privacy settings

For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/

- Dan Nicolescu & Patrick Nolan, MMPC

I can only assume that this is some sort of strange scam. The email originates from 74.55.158.162 which is flagged as being quite spammy.

Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <omikychartin@blumail.org>
Reply-To: omiky1aneke@yahoo.co.uk

Hello,
How are you doing today ?  My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks – Monday – Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available.   Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
asap.
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options?  Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy

Regards
OMIKY

Beats the heck outta me.

Phishing and 419 scams have been around for a while now. However, sometimes they never cease to amaze when it comes to their tactics. We caught this most recent one in one of our Honeypots and thought we would share due to the “over-the-top” images sent.

Also note the horrific markup of the passport. 

—————————————————————————–

Email sent from: usermail.uni-ak.ac.at ([193.170.136.34]

Email Subject: urgent response

Email body:

Apologies for having to reach out to you like this, my name is Gideon Kerkula am from Liberia, I and my mother just arrived with 2 inherited trunk boxes which our late father kept in our under ground flat which we discover and we collected money from it and I took picture with the two trunk boxes, we need your help to clear the money from the custom and help us invest it in any profitable investment that will last for a life time, the US$35,000 we collected from the boxes we use it for clearance on Ivory Coast- Abidjan border and the settlement of the military and police force on the highway. Please I want you to keep it confidential between us.

I have also attached my passport and the picture I took with the 2 trunks boxes, please if there’s anything you don’t understand or you want to know, ask and we will enlighten you.

I appreciate and wait your response.Please reply to this email;GideonKerkula@removed.cn

Thanks,

Gideon kerkula

—————————————————————————–

Images that were attached:

You would have thought Gideon would have given up at this point – however, there is a follow-up.  Brace yourself for the sequel:

————————————————————————-

From: Kelvin Kerkular [mailto:kkelvin1979@removed.cz]
Sent: 07 April 2011 06:44
Subject: PRIVATE AND CONFIDENTIAL

From:
Kelvin and Vivian
Tel:233 26 750 6123

Dear Beloved,

My name is Kelvin Kerkular I am 32 years old, and my junior sister name is Vivian Kerkular, 29 years old, we are Citizens of Liberia, currently residing in the refugee camp in Ghana. I am contacting you solely on a business related issues.

I became an orphan some couple of years ago. I am contacting you about a need I have and I believe you are well able to help me after my severe and fervent prayer for God to link me up with some one who will be capable of helping me out from Ghana as my foreign beneficiary. It all depends on our trusting each other but I’ve chosen to contact you prayerfully and believing that you are the person that can help me.

The source of my parent’s death was believed to be from our detractors who are never happy that he was making so much progress. The issue is that my parents are diamond merchants in my country Liberia and they made too much money from the business, that prompted the government of Liberia to probe them.

For this reasons, during the crisis in Liberia, our home was among the first target by the Liberian rebels. They allegedly said that, my late parents have a close relationship with former president of Liberia President Charles Taylor) that was their reason of storming our home. My mother died immediately they storm our resident and my father sustained serious bruises that he could not survive while in the hospital. I and my younger sister Vivian managed to escape during the incident. As i am talking to you now, i and my younger sister are staying in Ghana for some obvious reasons that i will like to relay to you on your response to this message.

This is a confidential matter i will like to discuss with someone whom my spirits accepted to deal with. Because after my parents exit, the government of Liberia have taken over all of our belongings. They have also emptied my parents bank accounts left alone with a deposit which my late father made in a nearby country called Ghana during his trade to Ghana. No one knows of this deposit, it is only me as the next of kin. And my father had earlier warned me not to disclose this issue to anyone before he died in the hospital after the incident that cause his death. Today I and my younger sister fend for ourselves here in Ghana.

And life has been very difficult since the government of Ghana started their deportation exercise which says that we refugees should evacuate their Bujumbura refugee camp to our various countries. Please my dear beloved, our plans now are to relocate from Ghana since we can not afford to go back to Liberia following our past experience as they killed our parents, but we will need to move out the fund left by my late father here in Ghana.
please according to my late father’s lawyer all we need now before these boxes can leave Ghana to  is your full contact information so as to enable the lawyer work out the papers that will back up the shipment to your location. Please i believe my lawyer will explain more better to you as soon as you come in contact with him.

Once you agree to help us move this fund, we will link you up with our late father’s lawyer who will help us in securing all the necessary documents for the shipment. As soon as we agree, we will come to your country where I and my sister will invest the money under your guide. So please let us know what will be your compensation or percentage for helping me and my sister out.

In the attached files, you will see a photograph picture which my late father took me before he made the deposit as a proof, and a picture of my sister, Vivian. Please the lawyer have not seen this picture as my father warned me not to disclose the content of the boxes to anyone except to some one whom i have chosen to be my foreign beneficiary, and also attached are the copies of the documents that is covering the fund in the keeping company, so i want you to go through them carefully. sometime ago there was a problem in the camp and my sister lost her Liberia passport but the lawyer agreed to get her a Ghana passport if we are ready to travel out of Ghana to meet with our foreign beneficiary.

Please NOTE that the earlier you help us the better as you will be doing Almighty God a great favor because our lives are no more safe with these people over here. I will need your reply stating your readiness to help in seeing this through.

We will be needing your details as follows:
(1) Your Full Names.
(2) Your Home or Office Address.
(3) Your cell phone Number.
(4) Occupation.
(5) Age.

Please feel free if you have any question to ask.

Thanks and be bless
Kelvin and sister.

————————————————————————-

And yup, you guessed it: more convincing attachments:

And finally, the cream of the crop: a convincing photo of Vivian, Gideon’s or (as he prefers in the second email message) Kelvin’s sister.

Well, Kelvin Gideon Kerkula if that is your real name… consider this. You have been named and shamed.  Unfortunately your overzealous tactics in an attempt to ‘social engineer’ or to convince me and everyone else do not work. 

I wonder what the next in the trilogy will be…

Of course Websense customers are being continually protected against phishing emails such as these with our Advanced Classification Engine, ACE.

Doctor Web-the Russian anti-virus vendor-unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan horse gets onto a mobile device, it covertly starts sending SMS spam as commanded by criminals. In addition, Android.Spy.54 adds certain web-addresses to browser bookmarks on the smart phone. Most probably, the new threat for the Android platform has come from China.

The Android.Spy malware family targeting Android became well known in autumn 2010. In addition to retrieving and modifying contacts and short message information, sending SMS, and positioning, Android.Spy can also set themselves to be launched automatically. Some variations can also be loaded when the smart phone is turned on, but their purpose is to collect the smart phone’s ID information, set certain search parameters in the search engine forms and to open links.

The new Android.Spy modification was discovered by Doctor Web’s analysts on April 12, 2011. On the same day it was added to the Dr.Web virus database. For now only Dr.Web detects this piece of malware. It is worth mentioning that malicious programs for Android appear with increasing frequency. Only two weeks ago a new version of SMS Trojan Android.SmsSend was discovered.

Android.Spy.54 was found on the Chinese Internet resource www.nduoa.com – a web-site offering a collection of applications for the Android platform. The Trojan horse was the part of the program Paojiao – the widget, allowing users to make calls or send SMS to selected numbers. Spreading with a legitimate program is a standard model for the malware family Android.Spy.

The new modification of Android.Spy registers a background service, which connects to a malicious site and sends to criminals the victim’s identity information (such as the IMEI and IMSI). In addition, the Trojan horse downloads an xml-file containing commands that make it start sending spam SMS from the compromised device and add certain sites to the browser bookmarks.

If a program unexpectedly requires additional privileges for its operation, it indicates that the application you are installing incorporates malicious features. For example, if a genuine game only needs access to the Internet, an infected version will ask for higher privileges. If you know that an application that caused your concern, is not supposed to work with SMS, calls, contacts, etc., it is not recommended to install it. In addition, to protect your smart phone, you can use Dr.Web for Android, available for download from the Android Market and Doctor Web’s site.

A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: “Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards.“
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe – TrojanDownloader:Win32/Chepvil.J – Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe – 208.43.90.48 – Email: admin@firtryt.biz

Detection rate:
pusk.exe – FakeAlert-CN.gen.aa – Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com – 78.46.105.205
bemolaqijicy.com – 99.198.114.206 – Email: vista@free-id.ru
celisesuho.com – 99.198.114.202 – Email: hush@bz3.ru
cixovatywo.com – 78.46.105.205 – Email: frenzy@ca4.ru
fytypoqywu.com – 64.46.38.94 – Email: fy4371215910301@domainidshield.com
gicyxepomer.com – 78.46.105.205 – Email: tabs@yourisp.ru
gopilezavyxiro.com – 78.46.105.205 – Email: hush@bz3.ru
hivanedak.com – 188.95.54.242 – Email: steps@ppmail.ru
hotilosire.com – 208.110.67.122 – Email: lathe@maillife.ru
jerakidukojoz.com – 78.46.105.205 – Email: wrap@cheapbox.ru
kupeqobujohaq.com – 64.46.38.145 – Email: soup@fastermail.ru
kytevaviqopoci.com – 78.46.105.205 – Email: fs@free-id.ru
pikilokykizanu.com – 65.254.54.77 – Email: dawn@free-id.ru
punajytapaci.com – 209.97.213.105 – Email: mire@maillife.ru
qisacugugu.com – 64.46.38.129 – Email: as@free-id.ru
qupajubica.com – 78.46.105.205 – Email: heard@bz3.ru
reruravobosila.com – 67.196.13.96 – Email: mon@ppmail.ru
rorodarof.com – 99.198.114.204 – Email: hush@bz3.ru
ruqydahec.com – 67.196.13.97 – Email: mon@ppmail.ru
sakafiduzipame.com – 78.46.105.205 – Email: build@ca4.ru
sykobodyducib.com – 208.110.67.102 – Email: lathe@maillife.ru
tetagyjaj.com – 78.46.105.205 – Email: kilt@bz3.ru
tibehewuk.com – 209.97.213.102 – Email: mon@ppmail.ru
tisatosyhimidy.com – 188.95.54.243 – Email: jan@free-id.ru
tyhiqymiwufuj.com – 208.110.67.121 – Email: dawn@free-id.ru
vakyditefo.com – 99.198.114.203 – Email: vista@free-id.ru
wamojafadezy.com – 78.46.105.205 – Email: acts@free-id.ru
wetotyger.com – 78.46.105.205 – Email: acts@free-id.ru
wixecyhobovy.com – 64.46.38.130 – Email: soup@fastermail.ru
wolycunanoqe.com – 72.9.233.98 – Email: lathe@maillife.ru
zajatimibuj.com – 208.110.67.119 – Email: bark@cheapbox.ru
zequcitamado.com – 99.198.114.205 – Email: vista@free-id.ru
punajytapaci.com/1017000412 – 209.97.213.105 – Email: mire@maillife.ru
tibehewuk.com/1017000412 – 209.97.213.102 – Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Spam mails claiming to be from Twitter that send you to pharmacy sites are a popular wheeze for spammers, and here we go again.

Click to Enlarge

It seems I have “two PR messages from Twitter”. If that wasn’t enough to get me clicking (it isn’t), I can also join in on sports conversations, argue with bloggers and tell the World when I stumble into some form of natural disaster.

Hammering one of the many links will actually take me to 219(dot)84(dot)119(dot)56/afternoon(dot)html, which will send me to pharmacydrugstorehealthprofessionals(dot)net.

Click to Enlarge

All the Cialis you can eat!

That might not be a good idea though.

Bear in mind that spam blasts like the one above can sometimes lead to malware most horrid, so – as always – stay safe (and don’t go messing with random pills bought on the internet, either).

Christopher Boyd

After the Tunisian Revolution (also called the Jasmine Revolution by many media organizations) in late 2010 or early 2011, “Jasmine” became a hot word in China.

Last week, a friend of mine in China received an email with an attached Microsoft Word Document (RTF) titled “My thoughts on the jasmine flower (the language of the document is Chinese)”. He had no idea who the sender was. When he opened the document and read the content, to his surprise, the document’s author tried to persuade him to join a demonstration called “Jasmine Revolution”. And definitely, he got even more surprised when he found out later that his personal computer was infected with a backdoor Trojan.

After checking the RTF file, I figured out that this sample tries to exploit CVE-2010-3333 — an old stack-based buffer overflow vulnerability in Microsoft Word. By crafting a malformed RTF file, attacker may execute arbitrary code on a user’s machine. One of my colleagues here in Trend Micro already reported about malware exploiting this vulnerability late last year, and the vulnerability was already patched by Microsoft a month before that through MS10-087.

This is now detected as TROJ_ARTIEF.KER. Below is a snippet of the crafted data, including part of the shellcode. The data is hex-encoded. And here we can see a familiar address “7ffa4512”, which is often used as jmp-esp instruction in buffer overflow attacks.

The payload is a PE file (detected as BKDR_IRCBOT.KER which is embedded in the RTF file. When the shellcode gets executed, it will try to get the file handle to the DOC file by enumerates all possible handle values, starting from 0×4 until it finds a file with the right size (0x24C00 bytes). Then it reads embedded payload with the file handle and drops the payload in temp folder.

After successful exploitation, in order to trick the victim, a normal document file is opened, and as I mentioned at the beginning of the blog, the content of the normal file is something about “Jasmine Revolution”. Below are the slogans of the demonstration, it says: we need food, we need work, we need house, we need freedom, we need justice.

This attack is very much similar to one we saw in 2008, wherein documents — Excel and PowerPoint files — related to the Tibet conflict were used to disguise exploits.

Users who encounter emails similar to the one I described here are strongly advised to not open the attached document, and instead delete the message.

Post from: TrendLabs | Malware Blog – by Trend Micro

Spam Asks Recipients to Join Jasmine Revolution

For sometime now we’ve been reporting threats targeting Facebook users, most of which result in users unknowingly spreading spammy links to their networks. We’ve seen different social engineering techniques used such as stalker tracker tools, news involving celebrities, and even footages of the recent Japan tragedy.

The said threats usually involve links accompanied by inviting text posted in affected users’ walls. Other users who get tricked into clicking the said links unknowingly execute a script, which lead to posting the very same spammy content.

Recently, however, we saw a different version of this scheme, which leverages a commonly used feature in Facebook—Events.

Instead of posting the spam links in users’ walls where it can easily get lost in the news feed, cybercriminals now use the Events feature to really grab their targets’ attention.

In this scheme, spammers create an event that will be enticing to many users. For example, we saw one event in a post that said ”How to Find Out Who’s Viewing Your Profile.“ 

In the post’s More Info field, the spammer puts instructions that invited users must follow to be able to “view” or to “enjoy the service” the post promises—in this case, the ability to find out who viewed their profiles. You can see that most of the instructions contain ways to promote the event with the last step being to click a certain shortened link.

Needless to say, users tricked into following the given instructions end up promoting the spam event and making money for the spammer. Visiting the page the shortened link points to also executes a script that publishes the same link on the affected users’ walls.

This scheme seems to work fairly well for spammers, as we’ve seen spam events to which tens of thousands of users registered as attendees. We also observed that similar spam event posts are frequently updated by their posters, usually only modifying the provided links to avoid blockage.

As such, users are warned to ignore invitations of a similar nature. We are continuously monitoring for similar spam and blocking related URLs with the help of our Web Reputation Technology.

Post from: TrendLabs | Malware Blog – by Trend Micro

Facebook Users Get Invited to a Spam Event

Twitter.com has a verified account called @TopTweets that:

“…algorithmically selects and retweets some of the most interesting tweets spreading across Twitter. Enjoy!“

Enjoy, eh?

Well, it looks as if an adult dating spammer is gaming the system (or else Twitter really needs to tweak its top tweets algorithm):

@TopTweets recently retweeted this tweet from @CamGirlTrenity:

But more surprisingly, @TopTweets also retweeted this tweet from @SkypeCamGirls already on Saturday:

Guess nobody reported the spam over the weekend.

Hopefully Twitter will look into this soon as @TopTweets has over one million followers and we seriously doubt that they want to be exposed to sites such as getiton.com and camsexroulette.net.

Fortunately however, the links are obviously “not safe for work” (#nsfw) and relatively few people have clicked them. So perhaps most folks have just a bit more common sense than many so-called experts give them credit for?

Updated to add: Nice! Twitter has suspended both @CamGirlTrenity and @SkypeCamGirls (among others…).

Today’s tweet is no longer in the @TopTweets feed and we expect that Saturday’s will soon be purged as well.

On 28/03/11 At 03:29 PM

We always point out that Phishing is just another form of Spam since the emails are not wanted by anyone. But, what happens if a Spam mail contains a spoofed URL which is redirecting you to a fake website? Isn’t this a regular Phishing mail then?

In my opinion yes, this is Phishing, and this isn’t really new. For years we can see Phishing targeting Amazon and other big web shops. We are simply used to see the brand Rolex in spams advertising fake watches on some obscure websites. This time the spammers went a step further and sent a Phishing email abusing the name of Rolex.

Unfortunately, the website was already down when we tried to analyze it. As usual, we recommend our readers to delete such emails, never visit the advertised websites since they could contain malware as well and never to buy anything from such questionable websites.

Sorin Mustaca
Data Security Expert

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign by email with the subject ”Delivery Notification”. What appears at first as a simple email notification is in fact a spam campaign for the Canadian Pharmacy.

The message is sent from a spoofed email addresses like:

Notification-15955 <lwnfc@vowyg2kynvx4.veridomlegal.net>
Notification-07997 <cwujg@fgoorlgaxle7.veridomlegal.net>
…

The body of the email only contains a link to a web site:

http://www-48023.outdomnovolume.net

http://www-35051.outdomnovolume.net

….

The 5 numbers inside the web site address change with every email but always shows the web site of the Canadian Pharmacy:

The domain outdomnovolume.net is registered a few days ago according to a WHOIS is with the following details:

Domain name: outdomnovolume.net

Registrant Contact:
   Xicheng
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Administrative Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Technical Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Billing Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

DNS:
ns1.dnsfopiq.com
ns2.dnstow.ru

Created: 2011-03-19
Expires: 2012-03-19

MX Lab, http://www.mxlab.eu, started to intercept a large spam campaign with the subject “Twitter – You have X unread message(s)”, where the X is a number from 1 to 3,  that leads to the U.S. Drugs web site. This campaign is slightly different from the previous campaign at the end of February 2011 but leads to the same pharmacy site.

The campaigns is send from the spoofed email address “Twitter <twitter-message-RECIPIENT=DOMAIN@postmaster.twitter.com>” where the recipients email address is included in the from address.

An example of the email:

The final destination of the URL:

More information regarding this site can be found at http://spamtrackers.eu/wiki/index.php/US_Drugs.

There is a large-scale malicious spam campaign going on currently.  The spam comes in a few different types, one of which imitates a Twitter notification.  The subjects of the spam varies, but sadly, many focus on the recent events in Japan.

The links, which you can see in the image above, or if you look at the raw HTML, are distinctive:

http://lowercase_gibberish.(com|org|net)/base64string

The links lead to a page hosting obfuscated malicious JavaScript, which seek to exploit a Java vulnerability. Our host was immediately compromised, botted (added to a botnet), and some not-so-subtle fake anti-virus malware was installed complete with scary desktop warning:

The spam is originating from one of the Cutwail spambot variants. We managed to get this template from Cutwail command and control traffic, which clearly shows the Twitter template being used.

We are still investigating the nature of the malicious landing page and subsequent infection.

With the rise in social networking, we have been seeing increased use of fake ‘notifications’ being used by spammers.  As ever, remain on guard, especially when it comes to Twitter ‘notifications’.

Last week the big malware-spreading spam claimed to be from NACHA and warned about problems with an ACH money transfer. The same bad guys are at it again, this week pretending to be the Federal Reserve bank.

The UAB Spam Data Mine has received more than 3500 copies of the spam email messages, primarily using the subject lines:

Wire Transfer #12976271232523 (a random number on each email)
Wire transfer 0430972006146 was canceled (a random number on each email)
Wire transfer was canceled
Wire transfer was rejected
Your Wire fund transfer
Your Wire Transfer
Your Wire Transfer #2491786220489 (a random number on each email)
Your Wire Transfer, ID544349843700 (a random number on each email)

The senders of the email message varied between one of five choices:

alert@federalreserve.gov
alerts@federalreserve.gov
fedwire@federalreserve.gov
info@federalreserve.gov
information@federalreserve.gov

As before, someone with a Yahoo email address had their account used on GoDaddy to register “.info” domains to be used in this campaign. This time, we have spam samples for 487 of them.

Both GoDaddy and Afilias have excellent abuse staffs, and the domains in question were quickly terminated.

count | machine
——-+———————————-
8 | A-WIREBLOG.INFO
8 | AWIRE.INFO
5 | A-WIRENOW.INFO
6 | A-WIREONLINE.INFO
11 | A-WIRESHOP.INFO
4 | A-WIRESITE.INFO
7 | A-WIRESTORE.INFO
8 | A-WIRETODAY.INFO
4 | BESTA-WIRE.INFO
10 | BESTD-WIRE.INFO
9 | BESTFEDERALWIRE.INFO
6 | BESTFEDWIRE-B.INFO
2 | BESTFEDWIRE-E.INFO
8 | BESTFEDWIRE-M.INFO
8 | BESTFEDWIRE-N.INFO
9 | BESTFEDWIRE-O.INFO
5 | BESTFEDWIRE-Q.INFO
10 | BESTFEDWIRE-R.INFO
4 | BESTFEDWIRE-T.INFO
14 | BESTFEDWIRE-U.INFO
7 | BESTFEDWIRE-Y.INFO
9 | BESTI-WIRE.INFO
5 | BESTP-WIRE.INFO
6 | BESTU-WIRE.INFO
8 | BESTWIREORGANISATION.INFO
4 | BESTWIREREPORTTRANSFER.INFO
5 | BESTWIRETRANSFERMONEY.INFO
6 | BESTX-WIRE.INFO
4 | BESTZ-ACH.INFO
7 | BESTZ-WIRE.INFO
11 | COPPER-WIRE-ORGANISATION.INFO
6 | COPPERWIREORGANISATION.INFO
8 | COPPER-WIRE-REPORT-TRANSFER.INFO
8 | COPPERWIREREPORTTRANSFER.INFO
5 | COPPERWIRETRANSFERMONEY.INFO
3 | CUSTOMWIREORGANISATION.INFO
13 | D-WIREBLOG.INFO
7 | DWIRECABLE.INFO
10 | DWIRECLOTH.INFO
10 | DWIREDIAMETER.INFO
8 | D-WIRE-FENCE.INFO
5 | DWIREFENCE.INFO
8 | DWIREFORMING.INFO
5 | D-WIRE.INFO
7 | DWIREMANUFACTURER.INFO
12 | D-WIRENOW.INFO
7 | D-WIREONLINE.INFO
3 | DWIRESHELF.INFO
9 | D-WIRESHOP.INFO
11 | D-WIRES.INFO
9 | D-WIRESITE.INFO
10 | D-WIRESTORE.INFO
9 | DWIRESUPPLIERS.INFO
6 | DWIRETECH.INFO
8 | D-WIRETODAY.INFO
7 | ELECTRICALWIRETRANSFERMONEY.INFO
9 | FEDERALWIREBLOG.INFO
8 | FEDERALWIRECABLE.INFO
7 | FEDERALWIRECLOTH.INFO
8 | FEDERALWIREDIAMETER.INFO
8 | FEDERAL-WIRE-FENCE.INFO
6 | FEDERALWIREFENCE.INFO
9 | FEDERALWIREFORMING.INFO
9 | FEDERAL-WIRE.INFO
6 | FEDERALWIRE.INFO
7 | FEDERALWIRENOW.INFO
5 | FEDERALWIREONLINE.INFO
6 | FEDERALWIRESHELF.INFO
6 | FEDERALWIRESHOP.INFO
6 | FEDERALWIRES.INFO
5 | FEDERALWIRESITE.INFO
8 | FEDERALWIRESIZES.INFO
8 | FEDERALWIRESTORE.INFO
9 | FEDERALWIRETECH.INFO
9 | FEDERALWIRETODAY.INFO
8 | FEDWIREANDBLUE.INFO
8 | FEDWIREANDSAVE.INFO
8 | FEDWIREANDSILVER.INFO
4 | FEDWIREANDSONS.INFO
12 | FEDWIREANDSOUL.INFO
2 | FEDWIREANDSTYLE.INFO
7 | FEDWIREANDTRAVEL.INFO
10 | FEDWIRE-BBLOG.INFO
8 | FEDWIRE-BE-CONNECTED.INFO
6 | FEDWIREBECONNECTED.INFO
10 | FEDWIRE-BE-COOL.INFO
7 | FEDWIREBECOOL.INFO
11 | FEDWIRE-BE.INFO
10 | FEDWIREBE.INFO
7 | FEDWIRE-B.INFO
8 | FEDWIREB.INFO
6 | FEDWIRE-BNOW.INFO
7 | FEDWIRE-BONLINE.INFO
8 | FEDWIRE-B-RICH.INFO
7 | FEDWIREBRICH.INFO
7 | FEDWIRE-BSHOP.INFO
3 | FEDWIRE-BS.INFO
7 | FEDWIRE-BSITE.INFO
6 | FEDWIRE-BSTORE.INFO
8 | FEDWIRE-BTODAY.INFO
5 | FEDWIRE-EBLOG.INFO
6 | FEDWIRE-E.INFO
8 | FEDWIREE.INFO
5 | FEDWIRE-E-MINOR.INFO
7 | FEDWIREEMINOR.INFO
6 | FEDWIRE-ENOW.INFO
9 | FEDWIRE-EONLINE.INFO
4 | FEDWIRE-ESHOP.INFO
9 | FEDWIRE-ES.INFO
10 | FEDWIRE-ESITE.INFO
5 | FEDWIRE-ESTORE.INFO
4 | FEDWIRE-ETODAY.INFO
11 | FEDWIRE-M-BASKETBALL.INFO
6 | FEDWIREMBASKETBALL.INFO
10 | FEDWIRE-MBLOG.INFO
4 | FEDWIRE-M.INFO
12 | FEDWIREM.INFO
13 | FEDWIRE-MNOW.INFO
4 | FEDWIRE-MONLINE.INFO
7 | FEDWIRE-MSHOP.INFO
3 | FEDWIRE-MS.INFO
3 | FEDWIRE-MSITE.INFO
3 | FEDWIRE-MSTORE.INFO
12 | FEDWIRE-MTODAY.INFO
6 | FEDWIRE-M-WARD.INFO
7 | FEDWIREMWARD.INFO
12 | FEDWIRE-NBLOG.INFO
9 | FEDWIRE-N.INFO
3 | FEDWIREN.INFO
5 | FEDWIRE-NNOW.INFO
4 | FEDWIRE-NONLINE.INFO
4 | FEDWIRE-N-SCALE.INFO
16 | FEDWIRENSCALE.INFO
6 | FEDWIRE-NSHOP.INFO
3 | FEDWIRE-NS.INFO
5 | FEDWIRE-NSITE.INFO
4 | FEDWIRE-NSTORE.INFO
11 | FEDWIRE-NTODAY.INFO
6 | FEDWIRE-OBLOG.INFO
5 | FEDWIRE-O-HENRY.INFO
7 | FEDWIREOHENRY.INFO
8 | FEDWIRE-O.INFO
5 | FEDWIREO.INFO
6 | FEDWIRE-ONOW.INFO
13 | FEDWIRE-OONLINE.INFO
11 | FEDWIRE-OSHOP.INFO
9 | FEDWIRE-OS.INFO
11 | FEDWIRE-OSITE.INFO
4 | FEDWIRE-OSTORE.INFO
8 | FEDWIRE-O-TICKET.INFO
5 | FEDWIREOTICKET.INFO
7 | FEDWIRE-OTODAY.INFO
9 | FEDWIRE-Q-AUDIO.INFO
5 | FEDWIREQAUDIO.INFO
9 | FEDWIRE-Q-AWARDS.INFO
10 | FEDWIREQAWARDS.INFO
7 | FEDWIRE-QBLOG.INFO
9 | FEDWIRE-Q-CELL.INFO
5 | FEDWIREQCELL.INFO
9 | FEDWIRE-Q-FEVER.INFO
9 | FEDWIREQFEVER.INFO
6 | FEDWIRE-Q.INFO
5 | FEDWIRE-Q-MAGAZINE.INFO
6 | FEDWIREQMAGAZINE.INFO
8 | FEDWIRE-QNOW.INFO
5 | FEDWIRE-QONLINE.INFO
8 | FEDWIRE-QSHOP.INFO
9 | FEDWIRE-QS.INFO
5 | FEDWIRE-QSITE.INFO
6 | FEDWIRE-QSTORE.INFO
12 | FEDWIRE-QTODAY.INFO
5 | FEDWIRE-RBLOG.INFO
5 | FEDWIRE-R.INFO
5 | FEDWIRER.INFO
8 | FEDWIRE-R-KELLY.INFO
3 | FEDWIRERKELLY.INFO
13 | FEDWIRE-RNOW.INFO
7 | FEDWIRE-RONLINE.INFO
3 | FEDWIRE-RSHOP.INFO
11 | FEDWIRE-RS.INFO
7 | FEDWIRE-RSITE.INFO
8 | FEDWIRE-RSTORE.INFO
5 | FEDWIRE-RTODAY.INFO
7 | FEDWIRE-TBLOG.INFO
6 | FEDWIRE-T-CELLS.INFO
12 | FEDWIRETCELLS.INFO
7 | FEDWIRE-T.INFO
9 | FEDWIRET.INFO
8 | FEDWIRE-T-MAGAZINE.INFO
6 | FEDWIRETMAGAZINE.INFO
4 | FEDWIRE-TNOW.INFO
9 | FEDWIRE-TONLINE.INFO
6 | FEDWIRE-T-PAIN.INFO
8 | FEDWIRETPAIN.INFO
8 | FEDWIRE-TSHOP.INFO
6 | FEDWIRE-TS.INFO
5 | FEDWIRE-TSITE.INFO
5 | FEDWIRE-TSTORE.INFO
14 | FEDWIRE-TTODAY.INFO
4 | FEDWIRE-UBLOG.INFO
11 | FEDWIRE-U.INFO
9 | FEDWIREU.INFO
12 | FEDWIRE-UNOW.INFO
12 | FEDWIRE-UONLINE.INFO
10 | FEDWIRE-USHOP.INFO
10 | FEDWIRE-US.INFO
5 | FEDWIRE-USITE.INFO
10 | FEDWIRE-USTORE.INFO
3 | FEDWIRE-UTODAY.INFO
7 | FEDWIRE-YBLOG.INFO
6 | FEDWIRE-Y-CAMP.INFO
7 | FEDWIREYCAMP.INFO
10 | FEDWIRE-Y.INFO
9 | FEDWIREY.INFO
6 | FEDWIRE-YNOW.INFO
7 | FEDWIRE-YONLINE.INFO
7 | FEDWIRE-YOU-CANT.INFO
8 | FEDWIREYOUCANT.INFO
6 | FEDWIRE-YOU.INFO
9 | FEDWIREYOU.INFO
9 | FEDWIRE-YOU-ROCK.INFO
10 | FEDWIREYOUROCK.INFO
2 | FEDWIRE-YOU-SAVE.INFO
4 | FEDWIREYOUSAVE.INFO
12 | FEDWIREYOUTUBE.INFO
5 | FEDWIRE-YSHOP.INFO
5 | FEDWIRE-YS.INFO
7 | FEDWIRE-YSITE.INFO
7 | FEDWIRE-YSTORE.INFO
8 | FEDWIRE-YTODAY.INFO
4 | FREEA-WIRE.INFO
7 | FREED-WIRE.INFO
9 | FREEFEDERALWIRE.INFO
8 | FREEFEDWIRE-B.INFO
7 | FREEFEDWIRE-E.INFO
9 | FREEFEDWIRE-M.INFO
5 | FREEFEDWIRE-N.INFO
7 | FREEFEDWIRE-O.INFO
2 | FREEFEDWIRE-Q.INFO
5 | FREEFEDWIRE-R.INFO
8 | FREEFEDWIRE-T.INFO
13 | FREEFEDWIRE-U.INFO
14 | FREEFEDWIRE-Y.INFO
7 | FREEI-WIRE.INFO
5 | FREEP-WIRE.INFO
8 | FREEU-WIRE.INFO
5 | FREEWIREORGANISATION.INFO
9 | FREEWIREREPORTTRANSFER.INFO
4 | FREEWIRETRANSFERMONEY.INFO
8 | FREEX-WIRE.INFO
7 | FREEZ-ACH.INFO
6 | FREEZ-WIRE.INFO
5 | GAUGEWIREORGANISATION.INFO
5 | GAUGEWIRETRANSFERMONEY.INFO
7 | I-MOBILE-WIRE.INFO
8 | IMOBILEWIRE.INFO
5 | IRONWIREORGANISATION.INFO
5 | IRONWIREREPORTTRANSFER.INFO
7 | IRONWIRETRANSFERMONEY.INFO
6 | I-WIREBLOG.INFO
10 | IWIREHOMES.INFO
8 | I-WIRE.INFO
7 | I-WIRE-INTERACTIVE.INFO
5 | IWIREINTERACTIVE.INFO
10 | IWIRENETWORKS.INFO
10 | I-WIRENOW.INFO
11 | I-WIREONLINE.INFO
7 | I-WIRESHOP.INFO
2 | I-WIRES.INFO
7 | I-WIRESITE.INFO
8 | I-WIRESTORE.INFO
14 | I-WIRE-TECH.INFO
5 | IWIRETECH.INFO
11 | I-WIRETODAY.INFO
7 | METALWIREORGANISATION.INFO
6 | METALWIREREPORTTRANSFER.INFO
6 | METALWIRETRANSFERMONEY.INFO
6 | MYA-WIRE.INFO
3 | MYD-WIRE.INFO
8 | MYFEDERALWIRE.INFO
12 | MYFEDWIRE-B.INFO
5 | MYFEDWIRE-E.INFO
13 | MYFEDWIRE-M.INFO
8 | MYFEDWIRE-N.INFO
10 | MYFEDWIRE-O.INFO
4 | MYFEDWIRE-Q.INFO
11 | MYFEDWIRE-R.INFO
11 | MYFEDWIRE-T.INFO
10 | MYFEDWIRE-U.INFO
11 | MYFEDWIRE-Y.INFO
7 | MYI-WIRE.INFO
6 | MYP-WIRE.INFO
5 | MYU-WIRE.INFO
12 | MYWIREORGANISATION.INFO
7 | MYWIREREPORTTRANSFER.INFO
9 | MYWIRETRANSFERMONEY.INFO
5 | MYX-WIRE.INFO
9 | MYZ-ACH.INFO
7 | MYZ-WIRE.INFO
4 | NEWA-WIRE.INFO
6 | NEWD-WIRE.INFO
5 | NEWFEDERALWIRE.INFO
12 | NEWFEDWIRE-B.INFO
5 | NEWFEDWIRE-E.INFO
12 | NEWFEDWIRE-M.INFO
7 | NEWFEDWIRE-N.INFO
7 | NEWFEDWIRE-O.INFO
8 | NEWFEDWIRE-Q.INFO
10 | NEWFEDWIRE-R.INFO
5 | NEWFEDWIRE-T.INFO
11 | NEWFEDWIRE-U.INFO
5 | NEWFEDWIRE-Y.INFO
6 | NEWI-WIRE.INFO
7 | NEWP-WIRE.INFO
18 | NEWU-WIRE.INFO
12 | NEWWIREORGANISATION.INFO
9 | NEWWIREREPORTTRANSFER.INFO
8 | NEWWIRETRANSFERMONEY.INFO
3 | NEWX-WIRE.INFO
6 | NEWZ-ACH.INFO
10 | NEWZ-WIRE.INFO
11 | PRECISIONWIREORGANISATION.INFO
3 | P-WIREBLOG.INFO
10 | PWIRECABLE.INFO
8 | PWIRECLOTH.INFO
4 | PWIREDIAMETER.INFO
8 | P-WIRE-FENCE.INFO
3 | PWIREFENCE.INFO
7 | PWIREFORMING.INFO
2 | P-WIRE.INFO
11 | PWIRE.INFO
9 | PWIREMANUFACTURER.INFO
8 | P-WIRENOW.INFO
9 | P-WIREONLINE.INFO
7 | PWIRESHELF.INFO
6 | P-WIRESHOP.INFO
7 | P-WIRES.INFO
12 | P-WIRESITE.INFO
7 | P-WIRESTORE.INFO
6 | PWIRESUPPLIERS.INFO
4 | P-WIRETODAY.INFO
6 | RESISTANCEWIRETRANSFERMONEY.INFO
7 | RIDINGTHEWIRE.INFO
12 | ROME-X-WIRE.INFO
9 | SILVERWIRETRANSFERMONEY.INFO
10 | SPOT-I-WIRE.INFO
11 | SPOTIWIRE.INFO
4 | STEEL-WIRE-ORGANISATION.INFO
9 | STEELWIREORGANISATION.INFO
3 | STEEL-WIRE-REPORT-TRANSFER.INFO
9 | STEELWIREREPORTTRANSFER.INFO
5 | STEELWIRETRANSFERMONEY.INFO
7 | THEA-WIRE.INFO
7 | THEDETROITWIRE.INFO
7 | THED-WIRE.INFO
3 | THEFEDERALWIRE.INFO
11 | THEFEDWIRE-B.INFO
5 | THEFEDWIRE-E.INFO
8 | THEFEDWIRE-M.INFO
7 | THEFEDWIRE-N.INFO
5 | THEFEDWIRE-O.INFO
7 | THEFEDWIRE-Q.INFO
6 | THEFEDWIRE-R.INFO
9 | THEFEDWIRE-T.INFO
3 | THEFEDWIRE-U.INFO
12 | THEFEDWIRE-Y.INFO
9 | THEI-WIRE.INFO
7 | THEP-WIRE.INFO
4 | THERIDEWIRE.INFO
2 | THEU-WIRE.INFO
11 | THEWIREDOGS.INFO
6 | THEWIREGUYS.INFO
6 | THE-WIRE.INFO
5 | THEWIREORGANISATION.INFO
14 | THEWIREREPORTTRANSFER.INFO
1 | THEWIRETRANSFERMONEY.INFO
10 | THEX-WIRE.INFO
10 | THEZ-ACH.INFO
6 | THEZ-WIRE.INFO
6 | TRAVEL-A-WIRE.INFO
10 | TRAVELAWIRE.INFO
12 | U-WIREBLOG.INFO
7 | UWIRECABLE.INFO
11 | UWIRECLOTH.INFO
9 | UWIREDIAMETER.INFO
7 | U-WIRE-FENCE.INFO
9 | UWIREFENCE.INFO
9 | UWIREFORMING.INFO
9 | U-WIRE.INFO
9 | UWIREMANUFACTURER.INFO
4 | U-WIRENOW.INFO
8 | U-WIREONLINE.INFO
9 | UWIRESHELF.INFO
7 | U-WIRESHOP.INFO
8 | U-WIRES.INFO
8 | U-WIRESITE.INFO
8 | U-WIRESTORE.INFO
5 | UWIRESUPPLIERS.INFO
6 | UWIRETECH.INFO
3 | U-WIRETODAY.INFO
6 | WALKINGTHEWIRE.INFO
12 | WIREORGANISATIONBLOG.INFO
10 | WIRE-ORGANISATION.INFO
5 | WIREORGANISATION.INFO
5 | WIREORGANISATIONNOW.INFO
9 | WIREORGANISATIONONLINE.INFO
6 | WIREORGANISATIONSHOP.INFO
5 | WIREORGANISATIONS.INFO
3 | WIREORGANISATIONSITE.INFO
9 | WIREORGANISATIONSTORE.INFO
6 | WIREORGANISATIONTODAY.INFO
7 | WIREREPORTCARDSTRANSFER.INFO
6 | WIRE-REPORT-CARD-TRANSFER.INFO
7 | WIREREPORTCARDTRANSFER.INFO
4 | WIREREPORTTRANSFERBLOG.INFO
11 | WIRE-REPORT-TRANSFER.INFO
6 | WIREREPORTTRANSFER.INFO
4 | WIREREPORTTRANSFERNOW.INFO
6 | WIREREPORTTRANSFERONLINE.INFO
4 | WIREREPORTTRANSFERSHOP.INFO
10 | WIREREPORTTRANSFERS.INFO
6 | WIREREPORTTRANSFERSITE.INFO
2 | WIREREPORTTRANSFERSTORE.INFO
7 | WIREREPORTTRANSFERTODAY.INFO
5 | WIRETRANSFERMONEYBLOG.INFO
13 | WIRE-TRANSFER-MONEY.INFO
7 | WIRETRANSFERMONEY.INFO
7 | WIRETRANSFERMONEYNOW.INFO
7 | WIRETRANSFERMONEYONLINE.INFO
7 | WIRETRANSFERMONEYSHOP.INFO
9 | WIRETRANSFERMONEYS.INFO
6 | WIRETRANSFERMONEYSITE.INFO
10 | WIRETRANSFERMONEYSTORE.INFO
1 | WIRETRANSFERMONEYTODAY.INFO
7 | WIRETRANSFERSTATIONMONEY.INFO
3 | X-CABLE.INFO
4 | XCIRCUITBOARDS.INFO
6 | X-CIRCUIT.INFO
7 | XCIRCUIT.INFO
5 | X-CONNECTION.INFO
6 | XELECTRICALCONDUCTOR.INFO
6 | X-FILAMENT.INFO
7 | XFILAMENT.INFO
8 | X-WIREBLOG.INFO
6 | XWIRE.INFO
10 | X-WIRENOW.INFO
11 | X-WIREONLINE.INFO
8 | X-WIRESHOP.INFO
3 | X-WIRES.INFO
2 | X-WIRESITE.INFO
6 | X-WIRESTORE.INFO
2 | X-WIRETODAY.INFO
13 | Z-ACH-ACCOUNTS.INFO
5 | ZACHACCOUNTS.INFO
10 | Z-ACHBLOG.INFO
8 | Z-ACH.INFO
9 | Z-ACHNOW.INFO
16 | Z-ACHONLINE.INFO
6 | Z-ACH-PAYMENT.INFO
10 | ZACHPAYMENT.INFO
5 | Z-ACH-PAYMENTS.INFO
6 | ZACHPAYMENTS.INFO
5 | Z-ACHSHOP.INFO
4 | Z-ACHS.INFO
8 | Z-ACHSITE.INFO
6 | Z-ACHSTORE.INFO
4 | Z-ACHTODAY.INFO
4 | Z-ACH-TRANSACTIONS.INFO
10 | ZACHTRANSACTIONS.INFO
5 | ZCABLE.INFO
9 | ZCIRCUITBOARDS.INFO
9 | ZCIRCUIT.INFO
6 | ZCONNECTION.INFO
5 | ZFILAMENT.INFO
10 | ZLINESEGMENT.INFO
3 | ZLINETRAINS.INFO
3 | ZLINK.INFO
4 | Z-WIREBLOG.INFO
7 | Z-WIRE-INTERACTIVE.INFO
9 | ZWIREINTERACTIVE.INFO
6 | Z-WIRENOW.INFO
8 | Z-WIREONLINE.INFO
11 | Z-WIRESHOP.INFO
7 | Z-WIRES.INFO
13 | Z-WIRESITE.INFO
15 | Z-WIRESTORE.INFO
7 | Z-WIRETODAY.INFO
(487 rows)

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.

The pages looks like they come from Facebook. The teaser is a video that should be watched “only if you are 16 or older”. The play button hides a Facebook Like widget.

Spam page looking like Facebook

Before the user can play the video, he must either verify that he is at least 18, or that he is a human … by filling out surveys, trying games, etc.! The spammers are paid for each action taken by the user (PTC campaign).

“Security check”: the user must fill out a survey

If you stay on these pages long enough, they will attempt to send a form on your behalf. Fortunately, Firefox throws a warning.

Firefox prevent the automatic POST

acidattacker.com shows a Facebook page and a Youtube page with the same content.

Fake Youtube page from spammers

These spam pages can be found at:

• hxxp://bnltwo.info/video2/
• hxxp://acidattacker.com/

– Julien

Again, we would like to remind you. If you got an email that said come from the delivery company, please do not immediately to believe it. Because it could be a fake email that contains a virus.

Seems like they have started to rise again, since we are still receiving many reports of these spam emails within these days.

Here are some examples of spam email that was sent:

Dear Customer!

Your package has been returned to the DHL office.
The reason of the return is – Incorrect delivery address of the package!
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the DHL office in order to receive the packages.

Thank you!
DHL

or like this:

FedEx Reminder – Invoice XXX

Dear Customer!

Please refer to your last parcel invoice copy attached.

Thanks a lot,
FedEx.

And here’s the “Post Express Service”:

Post Express Service. Get the parcel XXX

Dear Customer.

Your package has been returned to the Post Express office.
The reason of the return is “Incorrect delivery address of the package”

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you for your attention.
Post Express Service.

or:

Post Express! Get the parcel XXX

This is a post notification

Email notification ID:xxxxxxxx

Your package has been returned to the Post Express office.

The reason of the return is “Error in the delivery address”

Important message!
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you for attention.
Post Express Support

The email could be just contains an image like this one:

United Parcel Service notification #XXX

Dear customer,

The parcel was sent to your home address.
And it will arrive within 3 business days.

More information and the tracking number are attached in document below.

Thank you.
United Parcel Service

And still many more, because they send the email in various format.

From each attachments, Emsisoft Anti-Malware detects the attachment as a trojan Oficla, Zeus/Zbot, or SpyEye.

There’s no doubt, this social engineering technique is still effective to lure users to open attachments or click on the malicious links. On the recent sample that we got, when user executes the attachment, this malware will download a fake “shipping documents” from the following address, and then open it automatically:

• hxxp://mialedot.ru/3SEag1rs5f/document.doc

If you receive a suspicious email like this, please do not click the attachment, or the given links. You could contact the appropriate company to make sure, or just forward the email to us to be analyzed.

More information:

DHL - http://www.dhl.com/en/express/resource_center/fraud_alert.html
FedEx - http://fedex.com/us/security/prevent-fraud/index.html
UPS - http://www.ups.com/content/us/en/resources/ship/fraud.html

Join Emsisoft Facebook page, and don’t forget to follow our Twitter to keep you stay update.

Most abused TLDs
For the phishing URLs, the ascending trend observed in January 2011 continued with even more entries in February. We observe again that more and more different TLDs are used to host phishing, this being an obvious sign that there are a lot of hacked websites and bots out there. The top of the Malware URLs remain almost unchanged, but surprisingly the trend is negative.

Spam category statistics
We can only confirm again the trend which we observed at the end of 2010 that there is in general less spam out there.

Extension statistics for malware URLs
This month we have seen the situation overturned by the .exe extension which took the lead because of a 67% increase. However, the most abused extension this month is not .exe but .html. This makes also sense considering the storm of updates for all browsers which took place in February and continues in March as well – the cyber criminals tried to abuse security vulnerabilities in the webbrowsers.

Most phished brands statistics
The most attacked brand remains Paypal. It has a big distance from the other entries in the top charts. The reason for this is that we have seen an increase in “other brands” category. It looks like the attempt to attack smaller brands with potentially more success is paying off for the phishers.
The biggest ascender this month is HSBC Bank with 85% increase, which actually made it enter in the top chart (it wasn’t present last month).

URL Shorteners used in malicious activities
Tinyurl.com took the leadership of the most abused shorteners in February. While bit.ly lost in the phishing top, it gained almost the same amount in the malware area making it rule the top chart with more than 23% advantage over the following entries.

Sorin Mustaca
Data Security Expert

While we wait for the Japanese Earthquake scams to begin, we noticed another on-going spam campaign. We wrote about the ACH Transaction Rejected spam back in February, but another round is active, with another 350+ freshly registered domains.

The body of the email this time around reads:

The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution.

Please click here (link) to view details

If you have any questions or comments, contact us at info@nacha.org. Thank you for using http://www.nacha.org.

/This messages is intended for use by addressee only and may contain privileged and confidential information. If you are not the intended recipient, dissemination of this communication is prohibited. If you have received this communication in error, please delete all copies of the message and attachments and notify the sender immediately. /

The spam has one of the following ten subject lines:

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Your ACH transaction
Your ACH transfer

Each claims to be from “nacha.org” – the National Automated Clearing House Association – the people who handle electronic payments between banks.

The from addresses are:

ach@nacha.org
admin@nacha.org
alert@nacha.org
alerts@nacha.org
info@nacha.org
payment@nacha.org
payments@nacha.org
risk@nacha.org
risk_manager@nacha.org
transactions@nacha.org
transfers@nacha.org

Here are the domain names we are seeing this time around. I haven’t checked all of them, but the ones I checked were GoDaddy. (GoDaddy and Affilias have been notified, and many of the domains are already disabled.)

machine
———————————–
ACHDESCRIBES.INFO
ACH-DETAILS-EMERGE.INFO
ACHDETAILSEMERGE.INFO
ACH-DETAILS.INFO
ACHDETAILS.INFO
ACH-DETAILS-MAGAZINE.INFO
ACHDETAILSMAGAZINE.INFO
ACHDETAILSNOW.INFO
ACHDETAILSONLINE.INFO
ACHDETAILSSHOP.INFO
ACHDETAILSSITE.INFO
ACHDETAILSSTORE.INFO
ACHDETAILSTODAY.INFO
ACHELEMENTS.INFO
ACH-INFORMATION-ARCHITECTURE.INFO
ACHINFORMATIONASSURANCE.INFO
ACHINFORMATIONBLOG.INFO
ACH-INFORMATION.INFO
ACHINFORMATION.INFO
ACHINFORMATIONLITERACY.INFO
ACHINFORMATIONNOW.INFO
ACHINFORMATIONONLINE.INFO
ACH-INFORMATION-SCIENCES.INFO
ACHINFORMATIONSCIENCES.INFO
ACH-INFORMATION-SHARING.INFO
ACHINFORMATIONSHARING.INFO
ACHINFORMATIONSHOP.INFO
ACHINFORMATIONS.INFO
ACHINFORMATIONSITE.INFO
ACHINFORMATIONSTORE.INFO
ACHINFORMATIONTODAY.INFO
ACHINFORMATIONWARFARE.INFO
ACHINFORMS.INFO
ACHREPORTBLOG.INFO
ACH-REPORT-CARD.INFO
ACHREPORTCARD.INFO
ACH-REPORT-CARDS.INFO
ACHREPORTCARDS.INFO
ACH-REPORT-COVERS.INFO
ACHREPORTCOVERS.INFO
ACH-REPORT.INFO
ACHREPORT.INFO
ACHREPORTNOW.INFO
ACHREPORTONLINE.INFO
ACHREPORTSHOP.INFO
ACHREPORTS.INFO
ACHREPORTSITE.INFO
ACHREPORTSTORE.INFO
ACHREPORTTODAY.INFO
ACHREVIEW.INFO
ATRANSFERADMISSION.INFO
ATRANSFERAGENT.INFO
ATRANSFERAPPLICANTS.INFO
A-TRANSFERBLOG.INFO
ATRANSFERFILES.INFO
ATRANSFERGUIDES.INFO
ATRANSFER.INFO
A-TRANSFERNOW.INFO
A-TRANSFERONLINE.INFO
ATRANSFERPRICING.INFO
ATRANSFERREQUEST.INFO
A-TRANSFERSHOP.INFO
A-TRANSFERS.INFO
A-TRANSFERSITE.INFO
A-TRANSFER-STATION.INFO
ATRANSFERSTATION.INFO
A-TRANSFERSTORE.INFO
A-TRANSFERTODAY.INFO
B-ACH-ACCOUNTS.INFO
BACHACCOUNTS.INFO
B-ACHBLOG.INFO
B-ACH.INFO
B-ACHNOW.INFO
B-ACHONLINE.INFO
B-ACH-PAYMENT.INFO
BACHPAYMENT.INFO
B-ACH-PAYMENTS.INFO
BACHPAYMENTS.INFO
B-ACHSHOP.INFO
B-ACHS.INFO
B-ACHSITE.INFO
B-ACHSTORE.INFO
B-ACHTODAY.INFO
B-ACH-TRANSACTIONS.INFO
BACHTRANSACTIONS.INFO
BESTACHDETAILS.INFO
BESTACHINFORMATION.INFO
BESTACHREPORT.INFO
BESTA-TRANSFER.INFO
BESTB-ACH.INFO
BESTD-PAYMENT.INFO
BESTG-PAYMENT.INFO
BESTP-ACH.INFO
BESTQ-ACH.INFO
BESTQ-PAYMENT.INFO
BESTQ-TRANSFER.INFO
BESTR-TRANSFER.INFO
BESTT-TRANSFER.INFO
BESTV-ACH.INFO
BESTW-ACH.INFO
BESTZ-PAYMENT.INFO
D-PAYMENTBLOG.INFO
D-PAYMENT.INFO
DPAYMENT.INFO
DPAYMENTMETHOD.INFO
DPAYMENTMETHODS.INFO
D-PAYMENTNOW.INFO
D-PAYMENTONLINE.INFO
DPAYMENTOPTION.INFO
DPAYMENTPROCESSING.INFO
DPAYMENTPROCESSOR.INFO
D-PAYMENTSHOP.INFO
D-PAYMENTS.INFO
D-PAYMENTSITE.INFO
DPAYMENTSOLUTION.INFO
DPAYMENTSOLUTIONS.INFO
D-PAYMENTSTORE.INFO
DPAYMENTTERMINAL.INFO
D-PAYMENTTODAY.INFO
DPAYMENTTRANSACTION.INFO
ELECTRONIC-ACH-DETAILS.INFO
ELECTRONICACHDETAILS.INFO
ELECTRONIC-ACH-REPORT.INFO
ELECTRONICACHREPORT.INFO
FREEACHDETAILS.INFO
FREEACHINFORMATION.INFO
FREEACHREPORT.INFO
FREEA-TRANSFER.INFO
FREEB-ACH.INFO
FREED-PAYMENT.INFO
FREEG-PAYMENT.INFO
FREEQ-ACH.INFO
FREEQ-PAYMENT.INFO
FREEQ-TRANSFER.INFO
FREER-TRANSFER.INFO
FREET-TRANSFER.INFO
FREEV-ACH.INFO
FREEW-ACH.INFO
FREEZ-PAYMENT.INFO
G-PAYMENTBLOG.INFO
G-PAYMENT.INFO
GPAYMENT.INFO
GPAYMENTMETHOD.INFO
GPAYMENTMETHODS.INFO
G-PAYMENTNOW.INFO
G-PAYMENTONLINE.INFO
GPAYMENTPROCESSING.INFO
GPAYMENTPROCESSOR.INFO
G-PAYMENTSHOP.INFO
G-PAYMENTS.INFO
G-PAYMENTSITE.INFO
GPAYMENTSOLUTIONS.INFO
G-PAYMENTSTORE.INFO
GPAYMENTTERMINAL.INFO
G-PAYMENTTODAY.INFO
GPAYMENTTRANSACTION.INFO
MASTER-P-ACH.INFO
MASTERPACH.INFO
MYACHDETAILS.INFO
MYACHINFORMATION.INFO
MYACHREPORT.INFO
MYA-TRANSFER.INFO
MYB-ACH.INFO
MYD-PAYMENT.INFO
MYG-PAYMENT.INFO
MYP-ACH.INFO
MYQ-ACH.INFO
MYQ-PAYMENT.INFO
MYQ-TRANSFER.INFO
MYR-TRANSFER.INFO
MYT-TRANSFER.INFO
MYV-ACH.INFO
MYW-ACH.INFO
MYZ-PAYMENT.INFO
NEWACHDETAILS.INFO
NEWACHINFORMATION.INFO
NEWACHREPORT.INFO
NEWA-TRANSFER.INFO
NEWB-ACH.INFO
NEWD-PAYMENT.INFO
NEWG-PAYMENT.INFO
NEWP-ACH.INFO
NEWQ-ACH.INFO
NEWQ-PAYMENT.INFO
NEWQ-TRANSFER.INFO
NEWR-TRANSFER.INFO
NEWT-TRANSFER.INFO
NEWV-ACH.INFO
NEWW-ACH.INFO
NEWZ-PAYMENT.INFO
P-ACH-ACCOUNTS.INFO
PACHACCOUNTS.INFO
P-ACHBLOG.INFO
P-ACH.INFO
P-ACHNOW.INFO
P-ACHONLINE.INFO
P-ACH-PAYMENT.INFO
PACHPAYMENT.INFO
P-ACH-PAYMENTS.INFO
PACHPAYMENTS.INFO
P-ACHSHOP.INFO
P-ACHS.INFO
P-ACHSITE.INFO
P-ACHSTORE.INFO
P-ACHTODAY.INFO
P-ACH-TRANSACTIONS.INFO
PACHTRANSACTIONS.INFO
Q-ACH-ACCOUNTS.INFO
QACHACCOUNTS.INFO
Q-ACHBLOG.INFO
Q-ACH.INFO
QACH.INFO
Q-ACHNOW.INFO
Q-ACHONLINE.INFO
Q-ACH-PAYMENT.INFO
QACHPAYMENT.INFO
Q-ACH-PAYMENTS.INFO
QACHPAYMENTS.INFO
Q-ACHSHOP.INFO
Q-ACHS.INFO
Q-ACHSITE.INFO
Q-ACHSTORE.INFO
Q-ACHTODAY.INFO
Q-ACH-TRANSACTIONS.INFO
QACHTRANSACTIONS.INFO
Q-PAYMENTBLOG.INFO
Q-PAYMENT.INFO
QPAYMENTMETHOD.INFO
QPAYMENTMETHODS.INFO
Q-PAYMENTNOW.INFO
Q-PAYMENTONLINE.INFO
QPAYMENTOPTION.INFO
QPAYMENTPROCESSING.INFO
QPAYMENTPROCESSOR.INFO
QPAYMENTSCHEDULE.INFO
Q-PAYMENTSHOP.INFO
Q-PAYMENTS.INFO
Q-PAYMENTSITE.INFO
QPAYMENTSOLUTION.INFO
QPAYMENTSOLUTIONS.INFO
Q-PAYMENTSTORE.INFO
QPAYMENTTERMINAL.INFO
Q-PAYMENTTODAY.INFO
QPAYMENTTRANSACTION.INFO
QTRANSFERADMISSION.INFO
QTRANSFERAGENT.INFO
QTRANSFERAPPLICANTS.INFO
Q-TRANSFERBLOG.INFO
QTRANSFERFILES.INFO
QTRANSFERGUIDES.INFO
Q-TRANSFER.INFO
QTRANSFER.INFO
Q-TRANSFERNOW.INFO
Q-TRANSFERONLINE.INFO
QTRANSFERPRICING.INFO
QTRANSFERREQUEST.INFO
Q-TRANSFERSHOP.INFO
Q-TRANSFERS.INFO
Q-TRANSFERSITE.INFO
Q-TRANSFER-STATION.INFO
QTRANSFERSTATION.INFO
Q-TRANSFERSTORE.INFO
Q-TRANSFERTODAY.INFO
RTRANSFERADMISSION.INFO
RTRANSFERAGENT.INFO
RTRANSFERAPPLICANTS.INFO
R-TRANSFERBLOG.INFO
RTRANSFERFILES.INFO
RTRANSFERGUIDES.INFO
R-TRANSFER.INFO
RTRANSFER.INFO
R-TRANSFERNOW.INFO
R-TRANSFERONLINE.INFO
RTRANSFERPRICING.INFO
RTRANSFERREQUEST.INFO
R-TRANSFERSHOP.INFO
R-TRANSFERS.INFO
R-TRANSFERSITE.INFO
R-TRANSFER-STATION.INFO
RTRANSFERSTATION.INFO
R-TRANSFERSTORE.INFO
R-TRANSFERTODAY.INFO
TERMINAL-B-ACH.INFO
TERMINALBACH.INFO
THEACHDETAILS.INFO
THEACHINFORMATION.INFO
THEACHREPORT.INFO
THEA-TRANSFER.INFO
THEB-ACH.INFO
THED-PAYMENT.INFO
THEG-PAYMENT.INFO
THEP-ACH.INFO
THEQ-ACH.INFO
THEQ-PAYMENT.INFO
THEQ-TRANSFER.INFO
THER-TRANSFER.INFO
THET-TRANSFER.INFO
THEV-ACH.INFO
THEW-ACH.INFO
THEZ-PAYMENT.INFO
TTRANSFERADMISSION.INFO
TTRANSFERAGENT.INFO
TTRANSFERAPPLICANTS.INFO
T-TRANSFERBLOG.INFO
TTRANSFERFILES.INFO
TTRANSFERGUIDES.INFO
TTRANSFER.INFO
T-TRANSFERNOW.INFO
T-TRANSFERONLINE.INFO
TTRANSFERPRICING.INFO
TTRANSFERREQUEST.INFO
T-TRANSFERSHOP.INFO
T-TRANSFERS.INFO
T-TRANSFERSITE.INFO
T-TRANSFER-STATION.INFO
TTRANSFERSTATION.INFO
T-TRANSFERSTORE.INFO
T-TRANSFERTODAY.INFO
V-ACH-ACCOUNTS.INFO
VACHACCOUNTS.INFO
V-ACHBLOG.INFO
V-ACH.INFO
V-ACHNOW.INFO
V-ACHONLINE.INFO
V-ACH-PAYMENT.INFO
VACHPAYMENT.INFO
V-ACH-PAYMENTS.INFO
VACHPAYMENTS.INFO
V-ACHSHOP.INFO
V-ACHS.INFO
V-ACHSITE.INFO
V-ACHSTORE.INFO
V-ACHTODAY.INFO
V-ACH-TRANSACTIONS.INFO
VACHTRANSACTIONS.INFO
W-ACH-ACCOUNTS.INFO
WACHACCOUNTS.INFO
W-ACHBLOG.INFO
W-ACH.INFO
W-ACHNOW.INFO
W-ACHONLINE.INFO
W-ACH-PAYMENT.INFO
WACHPAYMENT.INFO
W-ACH-PAYMENTS.INFO
WACHPAYMENTS.INFO
W-ACHSHOP.INFO
W-ACHS.INFO
W-ACHSITE.INFO
W-ACHSTORE.INFO
W-ACHTODAY.INFO
WACHTRANSACTIONS.INFO
WARRENGPAYMENT.INFO
ZPAYMENTARRANGEMENT.INFO
Z-PAYMENTBLOG.INFO
ZPAYMENTCARD.INFO
ZPAYMENTCARDS.INFO
ZPAYMENTDATES.INFO
ZPAYMENTDEADLINE.INFO
ZPAYMENTDEFINITION.INFO
ZPAYMENTINSTRUMENTS.INFO
ZPAYMENTLOCATIONS.INFO
Z-PAYMENTONLINE.INFO
ZPAYMENTPLATFORM.INFO
ZPAYMENTPROTECTION.INFO
Z-PAYMENTSHOP.INFO
Z-PAYMENTS.INFO
Z-PAYMENTSITE.INFO
Z-PAYMENTSTORE.INFO
Z-PAYMENTTODAY.INFO

Recently we reported about a scam that targeted Facebook users which turned users who are curious about stalkers into unwilling spammers. Now we are seeing newly created domains that are related to yet another scam targeting Facebook users, this time using social engineering lures already seen in the past.

The said domains were seen linked with certain Facebook posts, bearing messages such as the following:

• ”This Guy Took A Picture Of His Face Every Day For 8 Years”
• “Look What Happens When Father And Daughter Meet On Chat Roulette”
• “I can’t believe a GIRL did this because of Justin Bieber”
• “SICK! I lost all respect for Miley Cyrus when I watched this video!”

The domains created have similarities of keywords, all bearing words such as: daddy, busted, guy, face, pic, miley and bieber.

Once a user visits a Facebook post bearing the a link to the said domains, the user will get redirected to a YouTube-like webpage, a technique typically utilized by the infamous KOOBFACE gang. The page in actuality contains nothing more than an image which resembles a page from the video-sharing site.

When the user clicks on anywhere within the page, this opens a prompt for the user to answer a certain survey, placed supposedly to confirm the viewer’s age.

However, what happens really is that a malicious script detected by Trend Micro as PHP_FBJACK.A accesses the user’s Facebook account and posts a link to the same malicious page along with a message similar to the ones listed above.

Facebook was named the most dangerous social networking site in 2010, and it still is, considering the numerous attacks that target Facebook users every day. Thus it is important for Facebook users to be extremely cautious when navigating through the network, especially in clicking shared links, even those posted by trusted contacts.

The Trend Micro™ Smart Protection Network™ already protects users from this attack as related URLs and scripts are now blocked and detected respectively.

Post from: TrendLabs | Malware Blog – by Trend Micro

Miley Cyrus, Justin Bieber Facebook Spam Reemerges

Thanks to Matthew for sending this one over.

There’s a nasty round of Facebook app pages dabbling in Javascript shenanigans to spam Acai Berry diet pages on your profile walls. Simply visiting these pages while logged in is enough to post some spam, most of the pages involved promising (surprise, surprise) a video to watch:

Click to Enlarge

If you try to navigate away from the above app page, a message will pop up claiming you’re about to “corrupt the Flash install”. Total nonsense, but it’s just enough to result in something like the below being posted to your profile:

Click to Enlarge

“I am living proof that this works”, claims the “facebook sponsored weight loss product”. No sign of anyone yelling “Beefcake, Beefcake” but let’s dispense with the South Park references and see where the spam link leads to:

Click to Enlarge

Oh look, a fake news site touting logos from various news sources. Needless to say, you don’t want to be handing over any money for the above. Though the code in the below screenshot may look like a load of tech related jibber-jabber, you can still see many pieces of text used for the various spam messages:

Spam messages will also be sent out in both wall postings and facebook chat that look like this:

“Hey, What the hell are you doing in this video? Is this dancing or what?? Bahahah”

You can see that in the above screenshot, too (look near the bottom of the code). If you don’t want to strain your eyes, here it is in action:

There appears to be one main domain for this, franebook(dot)com (although it’s currently serving up 404 errors) and many of the related application pages also appear to have been taken down by facebook. apps(dot)facebook(dot)com/bergamoleyra/ and apps(dot)facebook(dot)com/hellenismkpmga/ are both giving “page not found” messages, although there seems to be a number of app pages still live and redirecting to the Acai berry spam sites.

As always, be careful what you’re clicking on in facebook – random messages promising junk will usually give you just that (and perhaps a little more besides).

Christopher Boyd

MX Lab, http://www.mxlab.eu, started to intercept a spam campaign with the subject “Twitter Notifications”, send from  randomly spoofed email addresses, that leads to U.S. Drugs web site.

An example of the email:

The email contains the Twitter logo and a basic lay out. The included URL appears to be leading to the twitter.com site, along with some userid variables to make it appear genuine, but behind the URL we can notice different web site addresses with each email.

The URL leads to the web site of U.S. Drugs where you can buy…. viagra and others. What else?

More information regarding this site can be found at http://spamtrackers.eu/wiki/index.php/US_Drugs.

There’s many attackers out there who want to steal your credential information. And no doubt, Facebook as one of the largest Social Networking sites in the world, always been a target of attack from the bad guys.

Let’s take an example from the following message:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

hxxp://customer-supports-account.webs.com/facebook-security/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

With social engineering technique, the attacker try to lure users by said that the email come from Facebook Team.

When you click on the given link, it will show the following screen, a similar to the Facebook login page:

This page actually calling another malicious site:

• hxxp://djarum-black.24.eu/

As you can see here, every time you enter the password, then this script will call “incorrect.php”, and show you a messages said that the password you input is wrong. But, in fact, in the background your login information has been recorded by the attacker. And now, they able to change your original password, and they can do anything they want.

And here’s another scam messages that you may receive:

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2011. All Rights Reserved.

—

You perform actions that may be considered disturbing or offensive.
Your account has been reported by other users.
Your account will be blocked within 1×24 hours.

to cancel the blocking follow this link:

http://malicious_links/

Thank you,
Facebook Team

—

We get reports that your account was made a few mistakes, and is ensured by our team that there were errors in the use of social networking (facebook).
To ensure that this account belongs to you, we need your cooperation.
If you ignore this message and do not follow our policies, we are forced to deactivate or suspend your account.
The deadline for your confirmation for 24 hours starting from this incoming message.

To complete the process, please follow the link below:

http://malicious_links/

Confirmation Code: q0w8i32j

This message is not a scam, if you’re not sure you can change your facebook password and email after registering.

In the future, all warning of security will come through the Facebook Security. To receive future updates to Facebook’s site security, become a fan of the Page.

Copyright © 2010 by the Present Facebook ™
All rights reserved.

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive. Or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account. Please re-confirm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

If you receive a message like this, please do not click on the given link! This link will lead to a phishing page.

—

Your account has been reported other users on the grounds of violating the provisions facebook:

1. fake profiles
2. porn photo
3. conduct phishing
4. insulting others
5. threatening others
6. inappropriate chat
7. contains pornographic images
8. conduct violation Terms of services (TOS)

facebook does not allow to do actions that are considered disturbing or offensive by other users.
please make confirmation within 24 hours, if you feel there has been a mistake.

IIf you do not confirm, the system automatically shut down your facebook account will be permanently on the assumption that the indications are correct.

Thank you for helping improve our service.

facebook ™ security
© 2010 copy right facebook network inc.

for cancellation, please confirm your facebook account below:

http://malicious_links/

—

Because too many users of this service, we decided to disable some unused accaunt in anticipation of damage to our network.

re-confirm your account here to help our checking account is not used anymore.
click our link below as your statement that accaunt still being used:

===============================

http://malicious_links/

===============================

You must verify your e-mail address before you can use it on facebook service

Attention:
If you do not re-confirm your account immediately, we are not responsible if your account will be disabled automatically by our system.

Thank you for using our services.
Facebook™ Gаmе пеtwогκ іпс
соρугіgһt © 2010 Facebook, іпс.. а׀׀ гіgһtѕ геѕегvеd.

—

Your account has been reported by other users for reasons that are not allowed to facebook.
facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

Facebook Securitγ™ | Confirm Account

http://malicious_links/

Cоpγright © Facebook 2010, пеtwоrk Iпc.

—

Your facebook account will be closed for security reasons, because disruptive or insulting other facebook users. violates our Terms of Use, which can be blocking your account.

If you believe this is an error, Please follow the link below to verify and fill out the form of as agreement :

http://malicious_links/

We apologise for any inconvenience caused. If you not confirm, we will disable your account permanently.

We declare that you have read this information.

Thanks,
The Facebook Team

Facebook © 2010. All Rights Reserved.

—

Facebook security systems found indications that you have violated the “Terms of Service ‘(TOS) to do a post that contains :

1.Upload photos or images that violate the conditions of use facebook
2.Copyright infringement
3.Pornography or contains nudity
4.Insults, hateful, threatening, inciting, or acts of violence
5.Perform actions that interfere with another user and you have been reported by other users

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is correct.

Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook @2010 copyright network inc

—

Your account has been reported by other users reasons that are not allowed. Subject of:

1. Fake profiles
2. Fake Photo
3. Perform post
4. Insulting others
5. Threatening another person
6. Chat inappropriate
7. Contains pictures porn
8. Violation of Terms Of Service (TOS)

Facebook does not allow to do actions considered to interfere with or insult other users. Please confirmation within 24 hours. If you do not confirm, then the system will automatically deactivate your facebook account permanently with presumption that such indication is correct.

Thank you for helping improve our service.

Facebook™ security
Facebook © 2010 Copyright Network Inc.

If you feel there has been a mistake. Please confirm your facebook account on the PAQ below: WARNING! YOUR ACCOUNT WILL BE DISABLED

—

Our system has received numerous reports from other users about the misuse of your account, and it can cause your account will be suspended or disabled. Sometimes users get this warning because of abusing one of our features.

The reason for this is not limited to:
• Fake profile
• Incompatibility in your profile photo or album
• Those who distribute racist or sexy comments
• mailing systems Abuse Facebook
• Register more than one unique account

If you promise not to do things that violate the terms of service for the second time, our team is still giving direct policy to confirm your account that allows you to use your account again.

For confirm your account, please visit at:

http://malicious_links/

If within 24 hours after you receive information from us you are not immediately confirm the account, your account automatically will be disabled permanently.

Thank you
Regard,
Facebook ™ Security

—

Notice! Your account till now unconfirmed.

Facebook requires users to confirm the account as the respective proof of the authenticity of the account owner.
This is in because many people using false identities in their profile violates our Terms of Use which can be lead to blocking your account temporarily or account permanently closed.

If you are the original owner of this account immediately to confirm your account are at our FAQ

http://malicious_links/

To stop blocking
This or within 24 hours of account
we will switch you.

Thank you for your understanding.
█║▌│█│║▌║││█║▌║▌║
0111 8802 5334 9991 102

Rescue Operations Analyst ** Facebook © 2010 **

—

Suspicious activity detected on your Facebook account (i.e. it looks like you were violating our Terms of Service (“TOS”));
we will being permanently suspended your account.
If you agree to reinstatement terms your account.
Please follow instructions below to request reactivation.

Please contact customer service or
You are required to confirm your account at below :
———————–

http://malicious_links/

———————–

Attention:
If you don’t verify your account, then your account disabled automatically by our system.

Kind Regαrds,
Fасеbооk Sесυгitу .Iпc ™
Cоρугigнт © 2010 Sаfеtу Fасеbооk Lтd.
█║▌│█│║▌║││█║▌│║▌║
apps.facebook.com

—

We get the information from our security system that your account was reported by someone because doing:

► Transferring chiрs thrоugh lоsing and (selling).
► Cheating оr multiрle accоunts.
► Harassment, bullying, оr viоlent threats against оther user.
► Buying оr selling virtual gооds.
► Оffensive, disgusting, оr shоcking acts.

if you feel this is a misunderstanding or false accusation you must confirm your account!

Please confirm your account here:
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬

Within 24 hours if you do not confirm it, then the game “Texas Holdem Poker” in your account will be subject to sanctions in the form of temporary or permanent suspension, assuming that the allegations were true.

Thank you for improving our services
▬▬▬▬▬▬▬▬▬▬▬

http://malicious_links/

▬▬▬▬▬▬▬▬▬▬▬
Zуnga gamеѕ nеtшоrκ іnс. рaсе роκеr Bооκѕ
Attn: іntеllесtual ρrоρеrtу Agеnt
444 DеHarо ѕt., ѕuіtе 132
ѕan Franсіѕсо, сalіfоrnіa 94107th
█║▌│█│║▌║││█║▌│║▌║

—

Your account has been reported by other users with reasons that are not allowed in facebook, regarding about:

1.Fake profiles.
2.Your use of excessive application.
3.Identity fraud on your account.
4.You write content that is not fun (ROUGH).
5.Using facebook account just for the games applications.

Please confirmation within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account or permanently disabled with the presumption that such indication is true.

For cancellation, please confirm your facebook account below:
▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬

http://malicious_links/

▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬ ▬
Thank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Blocking υp Accoυnt, Immediate Verification.
Violation – Facebook Terms of Service Warning! Your account could be disabled…

Blocking υp Accoυnt, Immediate Veгification.
Between You and Facebook Șecurity
Facebook Șecurity December 3 at 5:27pm Report
Violation – Facebook Terms of Service
Warning! Your account could be disabled.

Yoυr behavior indicates that you may be in violation of Facebook’s Terms of Use. Continued misuse of Facebook’s features could result in your account being disabled.

The гeasoпs your facebook account will be disabled:

1. Your account has been reported by some people
2. Fake profiles
3. Identity fraud on your account
4. You write content that is not fun (ROUGH)
5. Using facebook account just foг the games applications.

If you have never done this violation, please verification your account here:
============================

http://malicious_links/

============================

If you do not verification within 24 hoυrs, facebook secυrity system will disable your account. If you do not confirmed, the system will aυtomatically shut your facebook account permanently with the presumption that such indication is true.

Tһank you for helping to improve our services.

Facebook ™ Security
Facebook © 2010 Copyright Network Inc.
█║▌│█│║▌║││█║▌│║▌║

—

Facebook security system found indications that you are in violation Terms Of Services (TOS) to do a post containing:

1.You are violating copyright law No.32 of 2004 facebook about online
2.Upload photograph or image that violates the conditions of use facebook
3.Violation copyright
4.Pornografi or contains nudity
5.Humiliation, hateful, threatening, or inciting violence action
6.Take actions that disrupt or insult other users and you
have been reported by other users.

Please make confirmation within 24 hours if you feel there has been a mistake. if you do not confirm, the system automatically to your facebook account permanently assuming the correct indication

Note: please confirm your facebook account on the following link:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Facebook © 2010 Copyright network Inc

—

Your account will be deactivated immediately.
Because someone has reported your actions.
Perhaps you have written content that is offensive or upload an image to insult or harm other users.
You must confirm your account, to stop the warning disabled
on your account.
Please confirm address below:
***************************

http://malicious_links/

***************************

“CAUTION”
Please confirm within 1×24 hours to fix your account. If not, our system will automatically close your facebook account permanently with the presumption that such indication is correct.

FACEBOOK ™
соρугіgһt © 2010 Facebook, іпс .. а | | гіgһtѕ геѕегvеd.

—

Your account will be immediately deactivated .someone has reported your actions. Maybe you have written content that is abusive and upload a picture that insulting or harmful to other users. You must confirm your account, to stop deactivation on your account.

Please confirm your account here:

► http://malicious_links/

if within 24 hours you do not confirm , the system will automatically close your facebook account (disabled), with the presumption that such indication is true.

This policy is designed to ensure permanent facebook social networks that are safe, comfortable and reliable for all users.

Thank you for helping to improve our services.
Facebook Team Security 2010
Terms of Intellectual Property and Security Policy

—

You are engaging in behavior that may be considered annoying or abusive by other users. You should be continue this phase for confirmation, if you don’t re-confirm, our system will automatically disabled the account permanently.
Please update your account here :

http://malicious_links/

Thanks for using our services.

—

NOTIFICATIONS!!

Your account will be banned or suspended or otherwise violate the requirements for facebook / poker texas holdem
to avoid suspension or banning of your account, please use the support feature to send an email to our terms of demand for administrators to avoid any actions taken by Zynga. / Facebook team
after you have registered, you can contact our customer service team directly by clicking the link below to confirm your account:

http://malicious_links/

Note: This site is created by Zynga / Facebook Team to give you a chance to confirm your account before your facebook account in the block or in the report.
And Tim Zynga / facebook only provide confirmation of 1×24-hour time limit …!!!
please support us with all the information you need to think to ask about this website.

Facebook Security Team. Inc ™
Copyright © 2010-2011

—

Facebook Security Team have reports there are some mistakes that are not in accordance with the feasibility of using your facebook, among others:
1. Using the application of excessive
2. Identity fraud on your account
3. Using pictures that are considered annoying
4. Insulting other users

To clean all of the allegations about your account, please visit Facebook Security customer support here :

=============================

http://malicious_links/

=============================

Attention !
If you ignore the message of this policy, we are forced to deactivate your account. Thank you for your cooperation

Facebook Security Services ™ 2010

—

Our security system detects suspicious activity on your account that violates the Terms of Service (TOS) in the form of posts that contain pornography, contempt, hatred, threaten, incite, violence, violations of copyrights or contains nudity.

Please confirm your account within 24 hours if you feel there has been a mistake. If you do not confirm, the system will automatically close your facebook account permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Facеbооk ™ Security
Facеbооk © 2010 Cоpyгіght Nеtwоrk Inc.

Please confirm your facebook account on the following link:
Facebook Account Confirmation

http://malicious_links/

Please confirm your Facebook account immediately to avoid disable account permanently. We apologize for this inconvenience.

—

Our system found recently accessed your account from a location unknown to us. For your protection, please review your last activity to make sure nothing is using up the account without permission.

Reviewing your activity requires only a few moments. We’ll start by asking a few questions to confirm that this is your account. (If we recognize your computer, you will be able to skip this step.).

Please verify your account within 24 hours, if you ignore then we will block this account for your security.

Please verify your account here:
_____________________________________________________

http://malicious_links/

_____________________________________________________

Thanks for Helping to improv our services.

Facebook ™ security
Facebook @2010 copyright network inc.
█ ║ ▌ │ █ │ ║ ▌ ║ │ │ █ ║ ▌ │ ║ ▌ █

—

ΑТТΕΝТІОΝ,youг accouпt will be deactivated iммediately . Because soмeone has reported your actions . Maybe you have written content that is abusiveoг upload a pictuгe that caп be insulting or harмful to other useгs.You must confiгм your account, to stop the waгning deactivated on youг account.Please гe-confiгm your account at:

http://malicious_links/

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..

—

Your account will be disabled.
Your account has been reported by another user with the reason violations,
- Insult other users
- misappropriated
- violate the rules on your account

If you believe this is an error , please click bellow to registration security your account :

http://malicious_links/

If within 12 hours you do not confirm to facebook security center, we will be banned your account.

Thank you, for your cooperation
Best regards, By Facebook Security™.
Сорүгіgһt © 2010 Security Νеtwогk Іпс. Аlŀ гіgһt геѕегνеd

—

Yоur ассоunt һаѕ bееn rероrtеd by аnоtһеr uѕеr wіtһ tһе rеаѕоn:
1. Іllеgаl trаnѕfеr сһір
2. Uѕіng inѕult wоrd tо оtһеr player

Please be sure to visit the Application Facebook Help Center

============================

http://malicious_links/

============================

Thanks,
Facebook Security Team

—

Your account will be deactivated immediately.Because someone has reported your actions.Maybe you have written content that is abusive or upload a picture that can be insulting or harmful to other users.You must confirm your account, to stop the warning deactivated on your account.

Please re-confirm your account at:

http://malicious_links/ <—–click here

We provide 1×24 hours to re-confirm your facebook account. If not, we will block your account for the benefit of other users.

Facebook Team. Inc ™
By Copyright © 2010 Facebook, Inc. ..
All rights reserved
█║▌│█│║▌║││█║▌│║▌

—

Your account has been reported, please list your account to prevent deferred account.
We just want to help you in securing your account.
To secure your account, visit the Facebook service center below:

►http://malicious_links/

If you do not register your account within 24 hours, your account will be suspended or deactivated.
Security of your account will be processed within 24 hours.

Тһаnk yоυ, yоυr fоr соореrаtіоn
Веѕt rеgаrdѕ, Вy Ѕесυrіty ™ Facebook.
Сорyrіgһt ™ © 2010. Аlŀ rіgһt rеѕеrved.

—

Аkυп αпdα теlαһ di lαрoгkαп olеһ репggυпα lαiп dепgαп αlαѕαп үαпg тidαk diрегbolеһkαп di Fαсеbook, Peгiһαl тeптαпg :

1. Pгofil рαlsυ.
2. Foto рαlsυ.
3. mеlαkukαп pоsтiпg.
4. meпgһiпα oгαпg lαiп.
5. mепgαпcαm oгαпg lαiп.
6. Obгolαп yαпg tαk pαпtαs.
7. bегisi gαmbαг теlαпJαпg.
8. mеlαkukαп pеlαпggαгαп тегhαdαp тегms оf sегvicеs (тоs).

Fαсebook тidαk mепgiziпkαп mеlαkυkαп тiпdαkαп Үαпg diαпggαр mепggαпggυ αtαυ mепgһiпα olеһ рeпggυпα lαiп.
Silαhkαп mеlαkukαп kопfiгmαsi dαlαm wαkтu 24 Jαm Jikα αпdα mегαsα теlαh тегJαdi kеkеliгuαп.Jikα αпdα тidαk mепgkопfiгmαsi,sisтеm sеcαгα отоmαтis αkαп mепuтup αkuп fαcеbооk αпdα sеcαгα pегmαпеп dепgαп αпggαpαп bαhwα iпdikαsi тегsеbuт bепαг.

тегimα kαsih kαгепα mеmbαптu mепiпgkαтkαп pеlαyαпαп kαmi.

Uптuk Pembαtαlαп, Silαhkαп kопfiгmαsi αkuп fαcеbооk αпdα di bawah ini:

==============================

http://malicious_links/

==============================

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2010 Cоpyгighт петwогk Iпc.

—

your account has been reported by other users for reasons that are not allowed to facebook. facebook does not allow to do actions that are considered annoying or insult other users.
please confirm if you feel there have been mistakes, if you have not been confirmed, the system will automatically close your facebook account permanently.
please confirm your facebook account below :

→ http://malicious_links/

If yоu do пot coпfiгm tһis mistake to us witһiп 24 һοuгs yоuг accоuпt is autоmatically disabled!

Tһапks fог yоuг cоорeгаtiоп.

**Facebook Security Team © 2010**

—

Facebook requires users to register your account, as proof of the authenticity of your account.
This is because many people who use false identities in their profile that violates our Terms of Use.

Please confirm within 24 hours if you suspect that this is our fault. If you do not confirm our system will automatically close your facebook account permanently with the presumption that such indication is correct.

Please confirm your facebook account on the link below:

——————————

http://malicious_links/

——————————

Thank you for helping improve our service.

Team up ™ security
Up @ 2011 copyright inc.

Facebook Security
To provide you with the information you need to protect your information both on and off Facebook.

—

You have been reported for inappropriate images or chat user Content…

The Service may invite you to chat or participate in blogs,
message boards, online forums and other functionality and may
provide you with the opportunity to create, submit, post,
display, transmit, perform, publish, distribute or broadcast
content without limitation, text, writings, photographs,
graphics, comments,Any material you transmit to facebook will
be treated as non-confidential and non-proprietary.

You still have your last chance To prevent your account
from being disabled , please login using the address below:
◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊

http://malicious_links/

◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊
Notice : be sure you submitted the correct email,password and
same date of birth u provided in facebook personal information.
Facebook © 2011
█║▌│█│║▌║││█║▌│║▌║

—

You winner selected α lоtterγ prіze frоm α lоtterγ Zγηgα.
Yоu’ve wоη α $250.000.000 mіllіоη pіeces оf chіps αηd 50 Gоld.
Further іnfоrmαtіоη, clіck оη the URL :

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

http://malicious_links/

♣♠◊▬▬▬▬▬▬▬▬▬▬▬▬▬▬◊♣♠

Thіs іs α lіst оf ηіηe оther grαηd prіze wіηηers frоm dіffereηt cіtіes:
1. Dαηіel G. frоm Pіcо Rіverα, Lоs Αηgeles
2. Leηіη M. frоm Cuηdіηαmαrcα, Cоlumbіα
3. Mоdestαs P. frоm Pαηevezγs, Lіthuαηіα
4. Mαrk V. frоm Peηηsγlvαηіα, USΑ
5. Αbі R. frоm Αηkαrα, Turkeγ
6. Shαrоη P. frоm Αlbertα, Cαηαdα
7. Αgηαr J. frоm Mαcerαtα, Іtαlγ
8. Bruce M. frоm Eηglαηd, Uηіted Kіηgdоm
9. Mαuі H. frоm Petrіηjα, Crоαtіα

Thαηk γоu tо pαrtіcіpαted, lооk оut fоr the ηext grαηd prіze!
Dоη’t fоrget tо bооkmαrk Zγηgα Pоker,sо γоu cαη eαsіlγ cоme bαck tо the gαme.

Cоpγrіght © 2011 Zγηgα Gαme Ηetwоrk Іηc.. Αll rіghts reserved.

—

Your account is reported to have violated policies that are considered annoying or insulting Facebook users. Until our security system will deactivate your account within 24 hours if you do not do the reconfirmation.

If you still want to use your account, please confirm your facebook account below:

☞ http://malicious_links/

Facebook Security ™
Copyright Facebook © 2011 Inc
phone:(650.543.4800) fax:(650.543.4801)
▌█ ▐ ║▌█ ▐ ║▌█ ▐ ║▌▌█ ▐ ║▌█ ▐ ║▌█

—

Facebook security system we have found one indication that you violated the “Terms of Service” (TOS) that contain posts forbidden as follows :

1. Fake profiles.
2. Upload photos or images and videos that contain pornography.
3. Send a message or comment on news that contain insults, hateful, threatening, inciting, or acts of violence to other facebook users.
4. Using facebook account just for the games applications.
5. Perform actions that interfere with and you have been reported by other facebook users.
6. Clicking on a link or links that are wrong and contain the negative content.

Please confirm within 24. when you suspect that you have not been confirmed, the system will automatically close your facebook account permanently with the presumption that such indication is correct.
Please confirm your facebook account by clicking the link below:

http://malicious_links/

Thank you for helping improve our service.

Facebook ™ security
Up @ 2010 copyrights network inc.

—

The security system we found an indication that you are violating the Terms of Service (TOS) to do a post that contains pornographic, insulting, hateful, threatening, inciting, violence, violations of copyrights or contains nudity.

Please confirm within 24 hours if you feel there has been a mistake.
If you do not confirm, the system will automatically close your facebook account
permanently with the presumption that such indication is correct.

Thank you for helping improve our service.

Security Facеbооk ™
Facеbооk © 2010 Cоpγгіght Nеtwоrk Inc..
█║▌│█│║▌║││█║▌│║█║

Please confirm your facebook account on the following link:
——————–

http://malicious_links/

——————–

Please confirm your Facebook account immediately to avoid permanent closure.
We apologize for the inconvenience.

—

Our team has seen your facebook activity, and we have seen that you have not done FACEBOOK confirmation. Immediately re-confirm your FACEBOOK before 12 February 2011. If FACEBOOK you in that time have not done your FACEBOOK confirmation then we will be permanently disabling. please note it wisely.

Immediately re-confirm your FACEBOOK at the address below:

===============================

http://malicious_links/

===============================

Thanks,

Mark Zuckerberg

Fαcеbооk ™ sеcuгiтy
Fαcеbооk © 2011 Cоpyгighт петwогk Iпc.
█║▌│█│║▌║││█║▌│║▌║

—

Your account will be desactivated immediatly. Because someone has reported your actions. Maybe you have written content that is abusive or upload a picture taht can be insulting or harmful to other users. You must confirm your account, to stp the warning desactivated on your account. Please re-confirm your account at:
◄ ▬ V I P® ▬ ► = Hotmail

http://malicious_links/

◄ ▬ V I P® ▬ ► = Yahoo

http://malicious_links/

◄ ▬ V I P® ▬ ► = GmaiL

http://malicious_links/

We provide 24 hours to re-confirm your facebook account. If not, we will desactivate your account for the benefit of other users

—

Some screenshots of the phishing page:

And here’s the list of known malicious site (keep stay away from these site, some link are still active):

• hxxp://apps.facebook.com/notificationfacebook/
• hxxp://apps.facebook.com/confirm-register/
• hxxp://lucksteven.001webs.com
• hxxp://network-official.active.ws/
• hxxp://security-confrim-facebook-registrations.tk/
• hxxp://apps-facebook-privacy-account-safety.webs.com/
• hxxp://help-account-facebook-security.webs.com/
• hxxp://apps.facebook.com/commemorations/
• hxxp://secure_center.t35.com
• hxxp://customer-supports-account.webs.com/facebook-security/
• hxxp://djarum-black.24.eu/
• hxxp://h1.ripway.com/bkle001/
• hxxp://www.admln-security-games-fcebook.webs.com/
• hxxp://andhy_cuewk.0fees.net/
• hxxp://apps.facebook.com/users-registration/
• hxxp://account-confirmation-2010.ij3.de
• hxxp://registration-account-system.tk/
• hxxp://zliti.host.sk/62/login.facebook.com/?id=26089&lc=us
• hxxp://verify-account-system.com.nu
• hxxp://comfirm-facebook-security-online.tk/
• hxxp://customer-help-support-account.service.lc/facebook-security/
• hxxp://service-centre-account-games-poker.webs.com/
• hxxp://confirm-account-facebook-by-police-facebook.tk
• hxxp://security-inc.mypiece.com/
• hxxp://accountsecuritywarning.tk/
• hxxp://facebook.security-confirmations.com
• hxxp://gamepot.surge8.com
• hxxp://apps-facebook-security-report-games.webs.com/
• hxxp://privacy-police.ucoz.ru/facebook.html
• hxxp://facebook-security-account-notifikation-inc.tk/
• hxxp://apps-facebook-grandprize-millions-chips-zyngapoker.tk/
• hxxp://customer-help.us.nf/facebook-security/
• hxxp://confirmation-account-security-facebook.tk/
• hxxp://mehdiz.freevnn.com/scama/hotmail/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/yahoo/en/?i=1064
• hxxp://mehdiz.freevnn.com/scama/gmail/en/?i=1064

If you got a suspicious message or email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.

And don’t forget to join our Facebook! Stay alert & Stay Safe!