Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Facebook Phishing Pages

image
JULIEN SOBRIER
February 24, 2011 - 1 min read
On 02/13/2011, I found several domains used for Facebook phishing, registered the same day:
  • securedirectsite.com
  • directsecuresite.com
  • securedsitedirect.com
  • highsecuritydirect.com
  • securedsitedirect.com
  • officialsecuredsite.com
These domains contain the same page: a simple form to enter a Facebook login and password.

 
Image
Facebook Phishing page

After entering the credentials, users are redirected to http://www.facebook.com/pages/Image-hosting-service/106354426063487#!/album.php?profile=1&id=208421665712, which lands the user at their Profile Pictures page. If the user was not yet logged into Facebook, he must login "again". The phishing page does not post the credentials to Facebook on the user's behalf.

Fast-flux DNS

All of the domains were registered by the same individual in China.
 
 
Image
WHOIS information for highsecuritydirect.com 

The domains are bound to multiple IP addresses that change rapidly (aka fast-flux DNS):
Image
DNS information for highsecuritydirect.com
They all use the DNS server fbnameserver.com, which has been used for other Facebook phishing sites in the past.

Random redirections

On 02/14/2011, these 6 domains where redirecting users to http://www.google.com/ in the morning. In the afternoon, they redirected users to http://www.facebook.com/. On 02/16/2011, they seem to display the phishing pages all the time. I'm not sure why these redirections were set up earlier.

These domains are not yet blocked by Google Safe Browsing.

-- Julien
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.