Can it be true that even terrorists are hooked on Facebook? And that the Feds are scouring the social networking site looking for them?
Storm Worm puppet-masters seem to think so, or they just want everyone to go and find out if it’s true.
Senior Threat Researcher David Sancho has recently discovered a spam run that supposedly tells about the FBI investigating possible terrorists in the popular social networking site Facebook.
Here are screenshots of sample emails:
Spammed email messages come with different URLs in the message and here’s a list of the ones our researchers have seen so far:
- hxxp:// {BLOCKED}lueNews.com/
- hxxp:// {BLOCKED}yNewsNetwork.com/
- hxxp:// {BLOCKED}sWorld.com/
- hxxp:// {BLOCKED}wsGames.com/
- hxxp:// {BLOCKED}ewsRadio.com/
- hxxp:// {BLOCKED}owNews.com/
- hxxp:// {BLOCKED}sDailyNews.com/
- hxxp:// {BLOCKED}sNewsRadio.com/
- hxxp:// {BLOCKED}lyNews.com/
All domains were found to have common name server records, which seems to have been registered in China. This suggests that all URLs were possibly registered by the same person(s) or organization.
Clicking the link in the message connects the user to a Web site that displays the following:
Of course, the save it link will not download an article, but a Storm variant instead. Clicking the link connects the user to hxxp:// {BLOCKED}sNewsRadio.com/fbi_facebook.exe, which is detected by Trend Micro as TROJ_NUWAR.DDJ.
Our engineers are currently investigating the malware related to this spam run and will update this post as soon as possible. Meanwhile, Trend Micro has blocked access to all the abovementioned URLs.
