Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful
malware campaign spreading across social networks. Excluding the publicly available malware modules for spreading across
popular social networking sites, using the presumably,
already phished accounts for the foundation of the trust factor, the recent malware campaigns spreading across Facebook and Myspace are all about plain simple social engineering and a combination of tactics.
However, in between combining typosquatting and on purposely introducing longer subdomains impersonating a web application's directory structure, there are certain exceptions. Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a particular moment in the past few days used to redirect to client-side exploits served on behalf of a shady affiliate network that's apparently geolocating the campaigns based on where the visitors are coming from.
img228.imageshack .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - (216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that's also responding to p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to previous fraudulent activity.
Moreover, cross-checking this campaign with
another Facebook malware campaign enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation redirects to absvdfd87 .com and from there to the already known tracking.profitsource .net/redir.aspx?CID=9725&AFID=28836&DID=44292, and given that absvdfd87.com is parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two campaigns.
Facebook is often advising that users stay away from weird URLs, does this mean ignoring
ImageShack and Blogspot altogether? The next malware campaign could be taking advantage of
DoubleClick and
AdSense redirectors - for starters.
