[nsp-sec] Trojan spam run with Facebook hook (AUSCERT#2009abf45)

Joel Rosenblatt joel at columbia.edu
Thu Apr 2 09:16:02 EDT 2009 

Hi,

Here is the answer from my postmaster:


Subject "Drunk Charlize Dancing in the Club" from many sender addresses
at many IP addresses = 579 messages

Subject "women and girls having fun" ditto = 60 messages

Maybe there are other variations.

Stopped mostly because the hosts sending us the mail are in Spamhaus.
Where that did not get them, SURBL got the uri.

The only one in the spam mailbox was sent directly to spam at columbia.edu
by the spammer.

Please let me know if you need more details. These results are from a few days worth of logs.

Thanks,
Joel

--On Wednesday, April 01, 2009 10:55 PM -0400 Joel Rosenblatt <joel at columbia.edu> wrote:

> I've been seeing these for a while now .. looks like it started around March 11th - the subject was:
>
> FaceBook message: Beautiful Girl Dancing Extrahard Striptease!  (Last rated by Steve Roberts)
>
> I'll check with my postmaster tomorrow and get you an idea on numbers.
>
> Regards,
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> --On Thursday, April 02, 2009 11:33 AM +1000 matthew at auscert.org.au wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> G'day all,
>>
>> We are seeing a decent trojan spam out using Facebook as the hook.  The
>> emails all differ slightly but possess the same characteristics.  Eg:
>>
>>   From: "Facebook presentment" <support60 at facebook.com>
>>   Subject: Facebook announcement: Great looking girl having fun (Last rated
>>   by Bradford Collins)
>>
>>   Messages from Your Friends on Facebook, April 01, 2009
>>
>>   You have 1 friend requests - Personal Message:
>>   Watch the video titled "Drunk Charlize is dancing striptease on my
>>   Birthday Party, March 28, 2009! We're absolutely shocked!".
>>
>>   Proceed to view full message:
>>
>>   hxxp://facebook.shared.id-etsmrnhy5e.subject.876panel. com/home.htm?/identification/authentication=0616n9m12
>>
>>   Added 16 minutes ago.  Message ID: FB-06nnzbrxizjrzvr
>>   2009 Facebook community, Message Center.
>>
>> Multiple domains are being used all following a naming scheme of
>>
>>   [3-5 digit number]panel.com
>>
>> Eg:
>>
>>        2349panel. com
>>        43553panel. com
>>        654panel. com
>>        876panel. com
>>        987panel. com
>>
>> Is anyone else seeing a decent run of this?
>>
>> Just trying to work out how widespread it is as we are preparing to do an
>> alert on it.
>>
>> Apologies if you see this across a few lists - looking for any feedback
>> on numbers on this (and it is all appreciated).
>>
>> Best regards,
>>
>> - -- Matthew McGlashan --
>> Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
>> Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
>> (AusCERT)                                   | Fax:     +61 7 3365 7031
>> The University of Queensland                | WWW:     www.auscert.org.au
>> Qld 4072 Australia                          | Email: auscert at auscert.org.au
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (FreeBSD)
>> Comment: http://www.auscert.org.au/render.html?it=1967
>> Comment: http://www.auscert.org.au/render.html?it=1967
>>
>> iD8DBQFJ1BXZNVH5XJJInbgRAvMqAJ0cqNWqI3riSyf5Tq9lGzxO9C6xegCcCpl0
>> KzfS5kwPQpBMNU4TfhQuqDo=
>> =zKz3
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list