We're seeing a massive campaign of malware distribution through Facebook look-a-like pages that started just before the new year.
|Malicious page distributing malware|
These pages are using the free DNS and hosting provider .tk
. This provider has been used for many spam and malware campaigns in the past
. Here are some of the domains used:
So far, we've seen several hundred of such sites. They prompt the user to download a file with various names, such as:
- and may more
Only 1 AV vendor
detects them as malicious at this time!
Looking at the source code, all the .tk domains load their content from another website through an IFRAME, with content from:
These pages then redirect to a third URL on 220.127.116.11, hosting the malicious executable:
The malicious file is generated by http://18.104.22.168/imagedl.php
As usual, do not run files downloaded on random Internet pages.