We yesterday got a notification about a new facebook spam from one of EHN's reader. What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.
The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape" and "Link in the description".
Clicking the link will take the victim to the Google Translator page. Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "altervista.org".
As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.
 |
| Facebook Access token stealing - Image Credits: E Hacking News |
Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.
The spammers didn't ask your birthday for not sending birthday wishes :P . The collected information will be used in future spam or for any other malicious purpose.
 |
| Permission to Access personal Information - Image Credits: E Hacking News |
In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.
We have already warned you that Facebook is not the right place to watch porn. Please spread this article and create awareness about the facebook spams.
Update:
We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.
Update 2:
Redirection flow:
Url shortener link-->Google Translator --> fiddle.jshell.net --> plgngl.info -->ngltoken.altervista.org
The whois details of plgngl.info:
- Registrant Name: Ngl Power
- Street : Nonteladico 23
- City : Roma
- Email address: ngl@live.it
Other Domains registered by the same person:
buzzingcl.info
buzzingam.info
worldwarez.info
2fun4u.info
The 2fun4u.info has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".
The plgngl.info has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.
*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs. Here, I am sharing with you what we have found.
We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.
He is distributing malicious facebook spam scripts to other cyber criminals. From our investigation, we found that he is doing the distribution of malicious scripts since 2010. It appears he is the criminal behind several Facebook spam campaigns.
He has provided malicious script for following SPAM campaigns:
- "RIHANNA'S BIGGEST SCANDAL",
- "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
- "Busty Heart - The woman that can smash things with her br****ts!"
- Man accused of trying to hide stolen TV in his pants
- Find Your Facebook Stalkers
- Dad walks in on daughter... EMBARRASING!!!
- This is what Happend to his Ex GirlFriend
- John Cena died of a head injury
- Justin Bieber Sex Tape
Janne found one of the thread posted in the forum by another cyber criminal "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.
However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.
Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.
One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".
One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx://static.tumblr.com/c5apoln/7Prmiktpx/cena.html? 93561071". Following the Tumblr link leads us to the "hxxx://plgngl.info/tkn". Yes it is the same domain used in the recent attack.
Following profiles might be associated with the spammer:
YouTube Profile: hxxx://www.youtube.com/user/nglyt2
 | |
| Spammer's Blogger |
Blogger : hxxx://www.blogger.com/profile/11389969837864256446
 |
| Spammer's Twitter account |
Twitter : hxxxx://twitter.com/ngltw
We are still investigating the campaign. If we find anything interesting, we will update.
