For all you non-tech users out there: DON’T EVER, paste or click any link without first checking out what it may do. And as always, if it sounds too good to be true, IT PROBABLY IS!
In the rest of this post, I’ll analyze in detail, one particular phishing scheme that happened to explode all over Facebook in the last 24-ish hours. Keep in mind, most of the phishing right now is based on this. The rest of the Facebook phishing is done by sending you a fake e-mail with a link to a fake Facebook login page, which then steals your e-mail address and password.
The scam starts with a sent to you, either by e-mail, and/or posted on your wall. It looks something like this:
The link posted takes you to a facebook page that looks like this:
In this particular Facebook page, it redirects you to a 3rd party domain (kkpj.info), which takes you back to another Facebook page that looks exactly like the previous. This is done to retain a Facebook page that they can use to redirect to additional, different Facebook pages, should it be reported. In other words, if the malicious page gets reported, it would be the second one, allowing the original page to be retained and modified. I found this one because NoScript (Firefox Plugin) blocks scripts by default:
This second Facebook page looks like this:
And this one is the one that instructs you to copy and paste some code to run in your browser’s URL bar. Very bad idea for the end user. Let’s take a closer look at the code itself (this one has been de-fanged – refang at your own risk):
This basically tells the browser to execute whatever scripts lie at g2ds.info/d.php with a few parameters from your current Facebook session, most prominently your friends list, but can also include your profile information (e-mail address, residence, phone numbers), or even your Facebook credentials. This kind of attack falls under the category of “User Induced Cross Site Scripting (XSS)”.
A few other interesting notes:
Both kkpj.info and g2ds.info have the same IP address (220.127.116.11), are registered from eNom, Inc, and are hosted by hostgator.com, as evidenced by their nameservers, NS2767.HOSTGATOR.COM, and NS2768.HOSTGATOR.COM. Private registration of these 2 domains prevent identifying details from being revealed.
g2ds.info is the actual domain where the malicious scripts are run from.