Seems one of my facebook contacts’ account was compromised either by phishing or key logging… “he” had posted the following URL onto my wall

h11p://www.facebook.com.profile.php.id.371233.cn

He also had the following from another user on his wall

“lol i cant believe these pics got posted….its going to be BADDDD when her boyfriend sees these- h11p://www.facebook.com.profile.php.id.371233.cn

Of course, the guilty domain is 371233.cn… a whois doesn’t reveal much..

whois 371233.cn
Domain Name: 371233.cn
ROID: 20071101s10001s02380333-cn
Domain Status: ok
Registrant Organization: 小问
Registrant Name: 笑纹
Administrative Email: 24@244.com
Sponsoring Registrar: 北京新网互联科技有限公司
Name Server:ns1.4980603.com
Name Server:ns2.4980603.com
Name Server:ns3.4980603.com
Name Server:ns4.4980603.com
Registration Date: 2007-11-01 23:30
Expiration Date: 2008-11-01 23:30

Then the whois of the hosted server 4980603.com is

Domain Name………. 4980603.com
Creation Date…….. 2007-10-19 18:26:55
Registration Date…. 2007-10-19 18:26:55
Expiry Date………. 2008-10-19 18:26:55
Organisation Name…. xiaowen
Organisation Address. No.323 chang’an road
Organisation Address.
Organisation Address. Beijing
Organisation Address. 100001
Organisation Address. BJ
Organisation Address. CN

Admin Name……….. top wen
Admin Address…….. No.323 chang’an road
Admin Address……..
Admin Address…….. Beijing
Admin Address…….. 100001
Admin Address…….. BJ
Admin Address…….. CN
Admin Email………. 24@244.com
Admin Phone………. +86.1034546677
Admin Fax………… +86.1067688466

Tech Name………… top wen
Tech Address……… No.323 chang’an road
Tech Address………
Tech Address……… Beijing
Tech Address……… 100001
Tech Address……… BJ
Tech Address……… CN
Tech Email……….. 24@244.com
Tech Phone……….. +86.1034546677
Tech Fax…………. +86.1067688466

Bill Name………… top wen
Bill Address……… No.323 chang’an road
Bill Address………
Bill Address……… Beijing
Bill Address……… 100001
Bill Address……… BJ
Bill Address……… CN
Bill Email……….. 24@244.com
Bill Phone……….. +86.1034546677
Bill Fax…………. +86.1067688466
Name Server………. ns4.4980603.com
Name Server………. ns3.4980603.com
Name Server………. ns2.4980603.com
Name Server………. ns1.4980603.com

The site looks quite convincing to the user, they haven’t updated the year to 2008 yet…

facebook_phish.png

The source of the site is basically the following form…

<form method=”post” action=”login.php”><div id=”loginform”><div class=”form_row clearfix”><label for=”email” id=”label_email”>Email:</label><input type=”text” class=”inputtext” id=”email” name=”email” /></div><div class=”form_row clearfix”><label for=”pass” id=”label_pass”>Password:</label><input type=”password” class=”inputpassword” id=”pass” name=”pass” value=”" /></div><label class=”persistent”><input type=”checkbox” class=”inputcheckbox” onclick=”document.getElementById(”persistent_notification”).style.display=this.checked?”block”:”none”;” id=”persistent” name=”persistent” value=”1″ /><span>Remember me</span></label><div style=”display: none” id=”persistent_notification”><div class=”status”><h2><span id=status_title>By selecting “remember me” you will stay logged into this computer until you click logout. If this is a public computer please do not use this feature.</span></h2></div>
</div><div id=”buttons” class=”form_row clearfix”><label></label><input type=”submit” value=”Login” name=”login” id=”login” onclick=”this.disabled=true; this.form.submit();” class=”inputsubmit” /> or <strong><a id=reg_btn_link href=”https://www.facebook.com/r.php?” >Sign up for Facebook</a> </strong></div><p class=”reset_password form_row”><label></label><a href=”http://www.facebook.com/reset.php”>Forgot your password?</a></p></div></form>

There’s also a reference to an internal IP…

<span title=”10.1.227.120″>20</span><span title=”19192216″>07</span>

Anyone else seen this?

Date: Jan 2nd, 2008 · Comments RSS · Tags: hacking · virus, worms & malware