Friday, August 5, 2016

Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. The curious case of recurring “Page disabled” Facebook scams



from Understanding Java Code and Malware | Malwarebytes Unpacked

Remember those fake Facebook Security pages we’ve documented earlier this year? Here’s a quick refresher if not:

  • These are phishing campaigns that are exclusively after Facebook users.
  • Phishers behind them generally use compromised accounts to spread fake warning messages by posting to random users’ feeds.
  • These messages, in a nutshell, warn users that their accounts will be disabled unless they confirm their identity by providing their personal information.

Recently, we noticed a fake Facebook Security profile that sent one of our test accounts a private message. Below is the screenshot of the said message with its transcript below:

Actions Needed : Confirm your Facebook account .
We have found that the response of your account may not be authentic . that you
should use real identity . If you want to reactivate your account, please
extend your account.

To continue the account confirmation , please confirm here :
http://hxxplogs-secure3[DOT]at[DOT]ua/customer/support/

This message is sent to your account .
within 24 hours , if you ignore this message we apologize for the inconvenience
your account will be reinstated .

Thanks_

Facebook , Inc. , Attention : Community Support , Menlo Park , CA 94025

We’ve also seen several users publicly post private messages they received from fake Facebook Security accounts, asking their friends, family, and colleagues if this is legit. Here’s a sample:

whatisthis

ATTENTION: Your account will be Disabled!

Please re-confirm your account to avoid blocking.

It is caused someone has reported you that there were irregularities of content,
for violating terms of service. If you are the original owner of this account,
please re-confirm your account to avoid blocking.

In order to confirm your account please follow the link below:
http://hxxphelp-activity20[DOT]at[DOT]ua/recovery11/info2016/

If you do not immediately confirm the 12 hours grace period after you receive
this message, so sorry we will remove your account.

Thank you for your understanding!
Andrea
Security Management
Facebook

Furthermore, there are also spam or sockpuppet accounts that share random posts from users and attach the following message, which is similar to the two we mentioned above. Below is an example of one account that does this:

WARNING PAGE

Your Page will be Disabled!

Please re-confirm your account to avoid blocking. It is caused someone has reported
you that there were irregularities of content, for violating terms of service. If
you are the original owner of this account, please re-confirm your account to avoid
blocking.

Facebook does not allow:
* Pretending to be someone else
* Interfere with another comfort for the user
* Having more than one Facebook
* Share link or video content with pornographic videos

Please re-confirm your account here.
└►http://hxxpsupport-page-ir[DOT]at[DOT]ua/page-security.html

If you don't confirm, our system will automatically block your account and you will
not be able to use it again.

Thank you for helping us improve our service collaboration.

Facebook ™ Security.

More often than not, the URL is the only bit that are non-static in these messages. As such, we have collated as many as we could (see below) so you can manually blacklist them if you wish:

  • page-146376136[DOT]at[DOT]ua/active-page
  • cancel-block-il[DOT]at[DOT]ua/page-security.html
  • apps-setting-il[DOT]at[DOT]ua/page-security.html
  • 10355266[DOT]at[DOT]ua/BIHkqUOp8mKKz.html
  • rec0very-system-regain[DPT]atspace[DOT]cc/ (this one was hidden behind a bitly shortened URL)

Note that most of these URLs are hosted on the domain, at[DOT]ua, which has an IP address pointing to Moscow. Most of these pages are still live as of this writing, so we encourage you not to visit them.

The phishing pages behind these at[DOT]ua addresses look more or less similar. You can check out the below slides to familiarize yourselves. Like previous efforts we’ve seen in the past, these also ask for Facebook credentials, email address with password, credit card details, and security question with answer.

This slideshow requires JavaScript.

The campaign from rec0very-system-regain[DPT]atspace[DOT]cc is a bit different. After asking for credentials, it opens a second page that looks the same as the first, but includes a prompt text (in red) saying that the user entered the wrong user name-password combination. We believe this is an attempt to dissuade anyone from entering false information, making users believe that the page has a legitimate database it uses to compare values with.

This slideshow requires JavaScript.

If you see any of the Facebook messages we featured here on your feed, it’s best to ignore them and report the account responsible. If a member of your network suddenly sends you any of the above messages, you can either contact that person outside of Facebook about it (if you know them personally) or block them as their account has been compromised. You can also warn your other Facebook friends, family and/or colleagues about the account in question just in case they are connected with him/her, too.

Other related page(s):

Jovi Umawing (Thanks to Steven)

Web Analytics