Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Read more

Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Pesquisa de segurança

Facebook Phishing Pages

image
JULIEN SOBRIER
febrero 24, 2011 - 2 Min. de leitura
Pesquisa da Threatlabz

Conteúdo

  1. Introduction
  2. Domains
  3. Fast-Flux DNS
  4. Random Redirections
  5. Conclusion
  6. Mais blogs

Introduction

Facebook phishing pages are fake websites designed to look like the real Facebook login page. They trick users into entering their login credentials, which are then stolen by hackers. These stolen credentials can be used for identity theft, taking over accounts, or spreading spam and phishing attacks. To avoid falling victim, users should be cautious of suspicious links and enable multifactor authentication (MFA) on their accounts.

Domains

On 02/13/2011, Zscaler ThreatLabz found several domains used for Facebook phishing, all of which were registered the same day:

  • securedirectsite.com
  • directsecuresite.com
  • securedsitedirect.com
  • highsecuritydirect.com
  • securedsitedirect.com
  • officialsecuredsite.com

These domains contain the same page: a simple form to enter a Facebook login and password.

Figure 1: Facebook Phishing page.

Figure 1: Facebook Phishing page.

After entering the credentials, users are redirected to http://www.facebook.com/pages/Image-hosting-service/106354426063487#!/album.php?profile=1&id=208421665712, which lands the user at their Profile Pictures page. If the user was not yet logged into Facebook, they must login "again". The phishing page does not post the credentials to Facebook on the user's behalf.

Fast-Flux DNS

All of the domains were registered by the same individual in China.

Figure 2: WHOIS information for highsecuritydirect.com

Figure 2: WHOIS information for highsecuritydirect.com.

The domains are bound to multiple IP addresses that change rapidly (aka fast-flux DNS):

Figure 3: DNS information for highsecuritydirect.com

Figure 3: DNS information for highsecuritydirect.com.

They all use the DNS server fbnameserver.com, which has been used for other Facebook phishing sites in the past.

Random Redirections

On 02/14/2011, these 6 domains where redirecting users to http://www.google.com/ in the morning. In the afternoon, they redirected users to http://www.facebook.com/

On 02/16/2011, they seem to display the phishing pages all the time. We do not know why these redirections were set up earlier.

As of 02/16/2011, these domains are not yet blocked by Google Safe Browsing.

Conclusion

In February 2011, phishing domains targeting Facebook users were discovered. These Chinese-registered domains featured login pages and employed fast-flux DNS to evade detection. Despite random redirections, they remained unblocked by Google Safe Browsing (as of 02/16/2011), posing a continued risk to users.

form submtited
Obrigado por ler

Esta postagem foi útil??

vote yes
Sim, muito útil!
vote no
Na verdade, não

Explore mais blogs da Zscaler

Homem iluminado por laptop em um quarto escuro
Ataques de phishing aumentam 58% no ano da IA: Relatório de phishing de 2024 da ThreatLabz
Leia o blog
Woman holding laptop surveying large screen filled with constellation of data points
New AI Insights: Explore Key AI Trends and Risks in the ThreatLabz 2024 AI Security Report
Leia o blog
Uma pessoa trabalhando em um computador
Explorando ataques criptografados em meio à revolução da IA
Leia o blog
dots pattern

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.