Sunday, January 6, 2008

Phish Facebook, Phish Myspace too!

Investigating the recent Facebook phishing attack has resulted more information including Myspace phising sites and Gambling Casino spams.

Let's start with this screenshot below.


Let's perform DNS lookup with the FQDN - 371233.cn.


As you can see, this phising domain runs in a double fast flux DNS service, which means both NS and A records are dynamic and constantly changing. Observing further the activity, there are 10 round robin addresses that changes every minute and this rogue network host thousands of domain. So, shutting down these fakes sites are not that easy!

The screenshot below is a Myspace phising site.


more links ...

login.myspace.com.cfm.fuseaction.splash.mytoken.76701a26.0j643z.com
profile.myspace.com.fuseaction.user.viewprofile.9w.11523822.cn
profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn
profile.myspace.com.fuseaction.id.user.viewprofile.1878800.cn


Aside from phising sites, this node (particularly, myluludns.com) is also responsible for Gambling Casino spams (found 6 active mail domains) and even marijuana scam (like thebudshop.net and crazybuds.com).

In summary, phising and scam spams are cross-platform web base attack. It aims to steal your identity and your money!

Mac and iphone users are not exempted.