Today I received a strange Facebook message. Supposedly one of my friends (an old classmate of mine in Germany) had posted on my wall, but the posting was in English. Now this German friend, unless he happens to forward me an English joke, always writes to me in German. There were several of these wall posts (please DO NOT CLICK on those links!):<\/p>\n
\n23 February at 17:35:
\nAccording to http:\/\/goo.gl\/6hr4J you’re my top stalker. Creep.<\/p>\n23 February at 17:35:
\nSecret tool shows who stalks your pics http:\/\/tinyurl.com\/procreeper<\/p>\n23 February at 17:35:
\nHey! This is awesome
\nInsane! Awesome tool to see who looks at your pics >> http:\/\/goo.gl\/XsUqi<\/p>\n23 February at 17:35:
\nHey! This is awesome
\nNew FB tool shows who stalks your profile– http:\/\/goo.gl\/FTx5T<\/p>\n23 February at 17:43:
\nHey, whats happening?
\nSecret tool shows who stalks your pics http:\/\/goo.gl\/DxvMD\n<\/p><\/blockquote>\nSo I contacted my friend and asked him if it was really him who’d written that or if his facebook account had been hacked. He replied that he wasn’t him.<\/p>\n
I investigated the links, which use the Google URL shortening service to hide the
\ntarget URL:<\/p>\ntinyurl.com\/procreeper => procreeper.info
\ngoo.gl\/6hr4J => theprochecker.info\/?h
\ngoo.gl\/DxvMD => myprochecker.info\/?i
\ngoo.gl\/FTx5T => procheckers.info\/?e
\ngoo.gl\/XsUqi => theprochecker.info\/?b<\/p>\nDomains procreeper.info, myprochecker.info, procheckers.info and theprochecker.info are all hosted at the same IP address (98.126.9.210, Krypt Technologies<\/a>) and use the same name servers (ns1.imgurnot.com, ns2.imgurnot.com). The registrant is hidden behind a WHOIS proxy. The reverse DNS name of the host is “wowchatroulette.info<\/a>“.<\/p>\n
Here are other domains that appear connected to these domains (this is probably just the tip of the iceberg):<\/p>\n
\n
- fb-creeper.info<\/li>\n
- fb-creeper.info<\/li>\n
- fbcheckers.info<\/li>\n
- fbcheckersnow.info<\/li>\n
- fbcreeper.info<\/li>\n
- fbcreeper.info<\/li>\n
- fbcreeperonline.info<\/li>\n
- fbcreeperonline.info<\/li>\n
- fbcreepers.info<\/li>\n
- fbcreepers.info<\/li>\n
- fbisfun.info<\/li>\n
- fbpromo.info<\/li>\n
- myfbcheckers.info<\/li>\n
- myprocreeper.info<\/li>\n
- newfbcheckers.info<\/li>\n
- omgfbisfun.info<\/li>\n
- procreep.info<\/li>\n
- procreeper.info<\/li>\n
- procreeperonline.info<\/li>\n
- procreepers.info<\/li>\n
- profilechecker.info<\/li>\n
- profileseek.info<\/li>\n
- profilespy.info<\/li>\n
- profileview.info<\/li>\n
- profileviewers.info<\/li>\n
- thefbcheckers.info<\/li>\n
- thefbcreeper.info<\/li>\n
- thefbcreeper.info<\/li>\n<\/ul>\n
These sites have messages such as:<\/p>\n
Find YOUR Stalkers<\/p>\n
Find out who spends excessive time with your photos, reading your old wall posts, and looking at your friends list.\n<\/p><\/blockquote>\n
This is a scam designed to trick people into running a script on Facebook that will have a message sent to all their Facebook friends and to get them to also visit such websites. Anti-malware site TrendMicro warns<\/a>:<\/p>\n
Malware type : Spyware
\nDestructive : No
\nPlatform : Windows 2000, XP, Server 2003
\nEncrypted : Yes
\nIn the wild : Yes<\/p>\nThis malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it poses as a Facebook stalker finder to be able to infect Facebook user accounts<\/p>\n
(…)<\/p>\n
This malware may be hosted on websites that run a malicious script when accessed by unsuspecting users.<\/p>\n
It poses as a legitimate Facebook application. It propagates by sending IMs and status messages with links to websites where it can be downloaded.<\/p>\n
This spyware executes when a user accesses certain websites where it is hosted.\n<\/p><\/blockquote>\n
See also this TrendMicro blog post<\/a> on the subject.<\/p>\n
If you have received wall posts like that in the name of a friend, click on the X to the right of the posts to delete them and alert your friend! Do not click on any of the links in the malicious posts.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today I received a strange Facebook message. Supposedly one of my friends (an old classmate of mine in Germany) had posted on my wall, but the posting was in English. Now this German friend, unless he happens to forward me … Continue reading