It seems I’m not doing anything other than write about malware on Facebook, but here goes again. As you have probably read or seen yourself on Facebook, there are quite a few applications pretending to show you a list of people who have viewed your profile. I think the most common one is the “Stalker Application”.
Today I saw something that I haven’t seen before – the applications have changed tactics and have now been localized, meaning the page and message which is distributed is in different languages. In my case the language is Swedish, since I’m from Sweden, and I presume that the worms are also localized in other languages.
As with the other cases we have seen, the user is tricked into executing a JavaScript in their browser; that script then loads another script from another domain. The bad guys use this setup to make it harder for antivirus companies to block these domains. This particular case is pretty funny – because of a poorly configured web server we managed to get a complete list of all the domains used in this scam, and they have now been sent to our analysts so they can be denylisted.
al[CUT].info
ba[CUT]u.info
ba[CUT]o.info
bb[CUT]o.info
bc[CUT]o.info
bd[CUT]o.info
ca[CUT]p.info
da[CUT]p.info
d[CUT]o
la[CUT]i.info
la[CUT]e.info
lb[CUT]i.info
lc[CUT]i.info
ld[CUT]i.info
le[CUT]i.info
lf[CUT]i.info
lg[CUT]i.info
lh[CUT]i.info
ma[CUT]e.info
ma [CUT]f.info
mb[CUT]f.info
mc[CUT]f.info
md[CUT]f.info
mf[CUT]f.info
mg[CUT]f.info
my[CUT]s.info
ta[CUT]o.info
tb[CUT]o.info
tc[CUT]o.info
td[CUT]o.info
td[CUT]o.info
te[CUT]o.info
tf[CUT]o.info
vd[CUT]y.info
ve[CUT]y.info
xe[CUT]t.info
xf[CUT]t.info
yb[CUT]a.info
yc[CUT]a.info
yd[CUT]a.info
ye[CUT]a.info
yf[CUT]a.info
yg[CUT]a.info
Facebook stalker application now localized