• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Using Google and Facebook to aid on distribution

December 11, 2017Fioravante Souza

0
SHARES
FacebookTwitterSubscribe

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.

Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a “pleasant” surprise.

Usually I’d go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I’ll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site’s theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new “boleto” (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil’s Social Security Number) correct, probably it’s is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook’s fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to “host” their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Email Spam, Labs Note, Malware, Phishing

About Fioravante Souza

Fioravante "Fio" Souza is Sucuri’s Vulnerability Research & Machine Learning Manager who joined the company in 2012. Fio’s main responsibilities include dealing with emerging web threats. His professional experience covers 18 years of information security. When Fio isn’t dealing with web threats, you might find him fermenting everything he can find. Connect with Fio on Twitter or Untappd.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.