Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Read more

Blog de Zscaler

Reciba las últimas actualizaciones del blog de Zscaler en su bandeja de entrada

Suscribirse
Investigación de Seguridad

Facebook Phishing Pages

image
JULIEN SOBRIER
febrero 24, 2011 - 2 Min de lectura
Investigación de Threatlabz

Contenido

  1. Introduction
  2. Domains
  3. Fast-Flux DNS
  4. Random Redirections
  5. Conclusion
  6. Más blogs

Introduction

Facebook phishing pages are fake websites designed to look like the real Facebook login page. They trick users into entering their login credentials, which are then stolen by hackers. These stolen credentials can be used for identity theft, taking over accounts, or spreading spam and phishing attacks. To avoid falling victim, users should be cautious of suspicious links and enable multifactor authentication (MFA) on their accounts.

Domains

On 02/13/2011, Zscaler ThreatLabz found several domains used for Facebook phishing, all of which were registered the same day:

  • securedirectsite.com
  • directsecuresite.com
  • securedsitedirect.com
  • highsecuritydirect.com
  • securedsitedirect.com
  • officialsecuredsite.com

These domains contain the same page: a simple form to enter a Facebook login and password.

Figure 1: Facebook Phishing page.

Figure 1: Facebook Phishing page.

After entering the credentials, users are redirected to http://www.facebook.com/pages/Image-hosting-service/106354426063487#!/album.php?profile=1&id=208421665712, which lands the user at their Profile Pictures page. If the user was not yet logged into Facebook, they must login "again". The phishing page does not post the credentials to Facebook on the user's behalf.

Fast-Flux DNS

All of the domains were registered by the same individual in China.

Figure 2: WHOIS information for highsecuritydirect.com

Figure 2: WHOIS information for highsecuritydirect.com.

The domains are bound to multiple IP addresses that change rapidly (aka fast-flux DNS):

Figure 3: DNS information for highsecuritydirect.com

Figure 3: DNS information for highsecuritydirect.com.

They all use the DNS server fbnameserver.com, which has been used for other Facebook phishing sites in the past.

Random Redirections

On 02/14/2011, these 6 domains where redirecting users to http://www.google.com/ in the morning. In the afternoon, they redirected users to http://www.facebook.com/

On 02/16/2011, they seem to display the phishing pages all the time. We do not know why these redirections were set up earlier.

As of 02/16/2011, these domains are not yet blocked by Google Safe Browsing.

Conclusion

In February 2011, phishing domains targeting Facebook users were discovered. These Chinese-registered domains featured login pages and employed fast-flux DNS to evade detection. Despite random redirections, they remained unblocked by Google Safe Browsing (as of 02/16/2011), posing a continued risk to users.

form submtited
Gracias por leer

¿Este post ha sido útil?

vote yes
Sí, ¡Muy útil!
vote no
La verdad, no

Explorar más blogs de Zscaler

Hombre iluminado por una laptop en una habitación oscura
Los ataques de phishing aumentan un 58 % en el año de la IA: Informe sobre phishing de ThreatLabz 2024
Leer el blog
Woman holding laptop surveying large screen filled with constellation of data points
New AI Insights: Explore Key AI Trends and Risks in the ThreatLabz 2024 AI Security Report
Leer el blog
Una persona trabajando con una computadora
Explorar los ataques cifrados en medio de la revolución de la IA
Leer el blog
dots pattern

Reciba las últimas actualizaciones del blog de Zscaler en su bandeja de entrada

Al enviar el formulario, acepta nuestra política de privacidad.