Larger-than-normal Facebook Fake Foto Attack

June 26, 2012 - By Chris Larsen

We've written a couple of times about "Facebook Fake Foto" attacks, and there's a big one going on now...

In Friday's logs (6/23), there were almost a hundred URLs like this:

  edosonicafotos.com/albums.php?status=twitter&c=txjdij&gallery=google+&e=Tatiana

Several components in the URLs are evocative of "Fake Foto" attacks:

  • words like "fotos" and "albums" to look more believable
  • popular site names ("twitter" and "google") embedded to look safe/legitimate
  • a user name "Tatiana" to look more believable

But the biggest giveaway is the referring domain: facebook.com.

 

There were 93 requests for the EXE payload in our logs, all of which were rated as Suspicious in real-time by WebPulse.

This attack ran for about 18 hours before URLs stopped showing up on this domain (i.e., the site either ended its turn as the payload host, or was finally detected and blocked by Facebook).

 

Earlier last week was an even larger attack, with differently-structured URLs:

  ikeafotosonica.com/watch.php?ref=facebook&w=Dominika&resource=youtube

(So these links were likely posing as video clips when they were posted to the victims.)

This site's URLs ran for 26 hours before traffic shut off (either its turn ended or it was finally detected).

There were a total of 289 EXEs requested, all flagged as Suspicious in real-time by WebPulse. (These "Fake Foto" attacks show up in our logs all the time, but typical victim counts are in the dozens, not the hundreds. So this particular version is either using better bait, or a lot more spam, or both.)

 

Unfortunately, both of these sites were dead when I checked, so I couldn't get a sample of the EXE payloads. Fortunately, the overall attack was still running yesterday, so I collected a sample from the new site.

It came down as a 143 KB file called "IMG_66655127315362-IMG-www.facebook.com". Sadly, only 3 of the AV engines at VirusTotal.com were able to detect the current payload yesterday morning. This was not unexpected, since low AV detection rates are characteristic of a well-run malware attack.

Out of curiosity, I re-ran the scan in VT later in the afternoon, and the detection rates had bumped up a bit (to 5 out of 42):

  https://www.virustotal.com/file/40ab1c6e402b1af4897dfc9757b75adf149e8d71e0374983 4a0778758ea122a1/analysis/1340668424/

Today, it's up to 20 detections out of the 42 engines. (Of course, the Bad Guys have probably changed the payload by now...)

 

One final point of interest: The Bad Guys chose to host these sites on web servers run by Yahoo (using two different IP addresses in the 98.136.0.0/14 range). Those same two IPs, in the previous seven days, had received over 55,000 legitimate requests in our logs, on hundreds of domains, in addition to the malicious URLs.

So the Bad Guys were attempting to hide in a thicket of innocent sites.

It almost worked...

:)

 

--C.L.

@bc_malware_guy