Posted by: h4ck@lyst | May 21, 2009

areps.at kirgo.at Phishing attacks on facebook

UPDATE: 0130Hts IST May 25th 2009 Further more about .be domain facebook phishing sites.
0130 Hrs IST, May 23, 2009. More .be sites similar to yesterdays .at site emerge at a new ip. More here

Facebook is currently facing a phishing attack from areps.at and kirgos.at. As per some reports there are some more .at domains that are being used in this attack. Basically they take you to a facebook look alike login page. They even source the css and other resources from the actual facebook site. So these phishing guys are not even using their resources to host the required resources. OpenDNS and Google have already started to block and warn users about areps.at. And the people behind areps.at seem to be pretty quick as well. They have already taken down areps.at. Now its kirgo.at thats taking the traffic. Kirgo.at hasnot been flagged yet by any of the providers to be a phishing site. Google doesn’t warn you about kirgo.at as of 2350 hrs IST on May 21.

The list of sites include fcoder, nutpic and bests [.at], all stationed at the same machine 213.182.197.2.

All the sites hosted on that machine went down all of a sudden at around 0050 hrs IST, may 22nd, 2009.
Sample message that you ll receive in your facebook inbox from one of your contacts

“Check areps.at”
or any other .at site will be listed in there.

Best thing to do is not to click on anyone of the .at site links.

Who.is info for areps.at

domain: areps.at
registrant: AM5009456-NICAT
admin-c: AM5009456-NICAT
tech-c: AM5009456-NICAT
nserver: ns1.everydns.net
nserver: ns2.everydns.net
nserver: ns3.everydns.net
nserver: ns4.everydns.net
changed: 20090515 15:23:47
source: AT-DOM

personname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: Email Masking biceps@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOM

Information Updated: Thu, 21 May 2009 15:11:33 UTC
AREPS.AT SITE INFORMATION
areps.at Thumbnail
IP: 213.182.197.2
IP Location: Riga, Latvia
Website Status: inactive

who.is info for kirgo.at

domain: kirgo.at
registrant: AK5009489-NICAT
admin-c: AK5009489-NICAT
tech-c: AK5009489-NICAT
nserver: ns1.everydns.net
nserver: ns2.everydns.net
nserver: ns3.everydns.net
nserver: ns4.everydns.net
changed: 20090515 15:25:21
source: AT-DOM

personname: Alexander Kalinin
organization:
street address: ulitsa Dolskaya d.10 kv.33
postal code: 115569
city: Moskva
country: Russland
phone: +749573431510
fax-no: +749573431510
e-mail: Email Masking blank@bronzemail.net
nic-hdl: AK5009489-NICAT
changed: 20090515 15:25:19
source: AT-DOM

Information Updated: Thu, 21 May 2009 16:46:47 UTC
KIRGO.AT SITE INFORMATION
kirgo.at Thumbnail
IP: 213.182.197.2
IP Location: Riga, Latvia
Website Status: inactive

And the server seems to be based out of Netherlands

who.is info for 213.182.197.2/

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 213.0.0.0 – 213.255.255.255
CIDR: 213.0.0.0/8
NetName: RIPE-213
NetHandle: NET-213-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: SNS-PB.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2009-03-25

UPDATES from the comments on this post.

The following sites have also been found to be circulating. Though the afoi.ru seems to somewhat dissimilar.

* afoi.ru
* areps.at
* bests.at
* bestspace.be
* brunga.at
* kirgo.at
* nutpic.at
* ponbon.im
* sweeter.be

The who.is entries for the .be urls do point to the same old ip as mentioned earlier in the post but in reality they are being hosted at some other ip. 211.95.78.98. The older ip is down and out cold for about 24 hours now. And the .ru one is on completely separate space.

Advertisements

Responses

  1. A good question to ask is how the hack did Facebook allow its third party application to send phishing e-mails like that?

    Time to delete all non-core applications?

    • err.. there was no third party application involved in this phishing scam.

      • I have received similar messages already from some six friends. All the time – different domain.

        It looks like, one of the Facebook applications turned sour and started to send those e-mails or some smart hacker wrote a code to start the spiral hijacking and spamming.

        In either way, you cannot trust Facebook anymore. Their security is very low.

      • All the .at phising sites seem to have been taken down. And this thing has nothing to do with facebook security! There security wasn’t compromised in anyway. Its the gullible use who willingly though unknowingly provides his credentials to such malicious sites. Its like you hand over your car keys to a smartly dressed car jacker instead of the valet simply coz the guy looks like he is the valet..

      • I have seen few sites ending with .be – I guess the spiral may go on for a while.

        So why, facebook does not stop those messages that embedded URLs hosted on black-listed servers?

        All domains where registered by some Russian hacker and hosted in Latvia. Were they not?

        I am curious to find out how it all started. It might be a malicious application. Facebook will not tell us though.

      • FB does stop the messages with embedded malicious links. But it can do it only once it has been discovered. And it takes some time to implemement it through out the system. As to the .be links, I ve’t heard anything so far. Can you please send in any such link that you found? As to how it starts, well the malicious person sends it out to a list of users and then it takes it own course. Its rarely through an application I think, though am not too sure about that.

        http://www.facebook.com/security

  2. It upsets me that people do stuff like this, do they not have anything else better to do with their time other than program spyware, virii and worms?

  3. So far, I have received the following spirals:

    * afoi.ru
    * areps.at
    * bests.at
    * bestspace.be
    * brunga.at
    * kirgo.at
    * nutpic.at
    * ponbon.im
    * sweeter.be

    All from IP:
    213.182.197.2

    Those guys provided fake e-mails in the info, so talking to them is meaningless.

    Facebook, may check the IP of the site – and block it immediate.ly.

    It does not take much to write such a script.

    • Thanks Mark for the addresses. The who.is entries for the .be urls do point to the same old ip as you mentioned but in reality they are being hosted at some other ip. 211.95.78.98. The older ip is down and out cold for about 24 hours now. And the .ru one is on completely separate space. Though ofcourse they are all related. Infact, I was once redirected to the .ru site yesterday itself whence I clicked on a .at link.

      • Yet another one, received just a minute ago: indigoline.be

        Still alive. Facebook is not blocking them immediate.ly, alas.

      • More .be links coming up.. 😦

      • This is the time Facebook sends a message to everyone explaining what not to do with this sort of phishing. Today, I have received some 10 messages. It is really viral.

  4. http://211.95.78.98/ – suspended, and I hope it will stay like that. Facebook was about to go for IPO, with attacks like this the chances of raising good capital are very low.

    This Account Has Been Suspended
    Dear Visitor, This website has been suspended for Violation of Terms Of Service or Abuse of the system. This includes, but is not limited to overusing server resources, publishing adult content, or unauthorized posting of copyrighted material. Please contact our Support Team for more information.

    • Great to know that the phisihing sites at the new ip have been suspended. Though it seems to be a step taken by the ISP/Webhost/Service Provider rather than the FB guys. Though the involvement of the FB team behind the screen cannot be ruled out completely at this stage. It will be great if they would just come out with some official release. The FB blog at http://blog.facebook.com also has been down and out for about 24 hours now.

  5. […] phishing sites. whiteflash.be goldbase.be .be After the latest phishing scams on facebook involving the .at domains, the next generation of the same scam seem to be using .be domain names. The .be domain names that […]

  6. it really is a pesky nuisance

  7. For the moment, they only ask those affected to reset their passwords.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: