Recently I was contacted about an alert popping up on a laptop asking the user to phone a support number because their computer was compromised. My initial thoughts were that this was some malware most likely some form of Ransomware asking the user to phone the number to get their files back.

After analysing the laptop it turned out to be a much more simple but annoying phishing technique. It looked like the user had clicked an advert on facebook which redirected them to the fishing page

Facebook and phishing site links

http://facebook.com-00004.info/report.php?num=44(203) 868-8617

As you can see this is passing the number in as a parameter, usually now you would see a page that looks like Facebook or some other legitimate web page. In this case however you are greated with a HTTP 401 Unauthorised page:

401 Phishing technique

Doing some Google Dorking for the message:

“0x80070424 Warning: Activation Key Damaged. Your System Has Been Compromised. Call Windows Support Immediately: 44(203) 868-8617 (TOLL-FREE)”

It would appear these popups are usually used by adware but in this case it was a more standalone approach linking straight from facebook.

Multiple differnet URL’s were discovered:

microsoft.com-00007.info/report.php
microsoft.com-00007.info
microsoft.com-00007.info/msie1.php?num=855-444-2788
facebook.com-00004.info/fbie1.php?num=888-727-1127
facebook.com-00001.info
facebook.com-00001.info/fbie1.php?num=888-876-2545

A simple curl command can be used to test the site without visiting with a browser:

curl -c '/tmp/cookies' -L -e ';auto' -H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13" -i 'facebook.com-00004.info/report.php?num=44645646'

Doing a whois of course shows nothing as the domains were registered using privacy protectors:

Domain whois lookup

Doing a lookup on the IP address shows its owned by CONFLUENCE-NETWORK-INC

Domain whois lookup

Looking at the other URL’s the microsoft ones were more like a traditional Phishing site but with the 401 over the top with a lot more popups. This one even had a nice voice over the top.

Microsoft Phishing site

All URL’s have been reported to the relavant parties.

UPDATE: Confluence Networks have disable the facebook site and some of the domains have been taken back.