Update on the MySpace Phishing Campaign

It seems that the parties behind the Large Scale MySpace Phishing Attack which I covered in a previous post, have recently changed the main login redirector from 319303.cn/login.php to z8atr.cn/login.php, and the attached z8atr.cn’s fast-flux can be greatly compared to that of Storm Worm’s fast-flux networks in terms of its size. The updated campaign is also taking advantage of the following DNS servers :

Name Server: ns1.4980603.com
Name Server: ns2.4980603.com
Name Server: ns3.4980603.com
Name Server: ns4.4980603.com

Here’s more coverage courtesy of the ISC assessing a previous state of the campaign in the form of different domain names used :

Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network. The attack vectors include: Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were observed redirecting browsers. The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.

The fast-flux, the javascript obfuscation, and the process of serving malware still remain the same, so they’re basically doing what looks like maintenance of the fast-flux.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *