{
	"id": "4000dd7d-4b89-4a91-8144-3a1de598bbc3",
	"created_at": "2026-04-06T00:17:01.241958Z",
	"updated_at": "2026-04-10T03:20:25.93588Z",
	"deleted_at": null,
	"sha1_hash": "54f92a9c558401204f4686176d49f66cffa7338e",
	"title": "Facebook \u0026 VISA phishing campaign proposed by ZeuS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99666,
	"plain_text": "Facebook \u0026 VISA phishing campaign proposed by ZeuS\r\nArchived: 2026-04-05 13:34:45 UTC\r\nMalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security,\r\ncriminology computing and information security in general, always from a perspective closely related to the\r\nfield of intelligence.\r\nFacebook \u0026 VISA phishing campaign proposed by ZeuS\r\nUpdated 21.02.2010\r\nMore active domains belonging to the same phishing campaign against users of VISA. The domains are:\r\nreports.cforms.visa.com.desz.kr/secureapps/vdir/cholderform.php\r\nreports.cforms.visa.com.desz.ne.kr/secureapps/vdir/cholderform.php\r\nreports.cforms.visa.com.desz.or.kr/secureapps/vdir/cholderform.php\r\nreports.cforms.visa.com.ersm.kr/secureapps/vdir/cholderform.php\r\nreports.cforms.visa.com.edase.or.kr/secureapps/vdir/cholderform.php\r\nreports.cforms.visa.com.ersm.ne.kr/secureapps/\r\nOriginal 20.02.2010\r\nZeuS has a fairly large repertoire with proposed strategies to Scam to spread their trojan and phishing attacks\r\nagainst banks, many companies and well known.\r\nWe have recently warned of a campaign Scam using as cover to the IRS, which has been generating a long time\r\nbut every so often is reactivated, forming a cycle that seeks to disseminate criminal ZeuS and that holds for all\r\nstrategies.\r\nNow, once again active phishing campaign that involves Facebook.\r\nThe domains involved are:\r\nhttp://www.facebook.com.edase.or.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersm.kr/usersdirectory/LoginFacebook.php\r\nhttp://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\r\nPage 1 of 4\n\nhttp://www.facebook.com.edasn.ne.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.desz.or.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.desz.ne.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersq.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edase.co.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edasq.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersw.co.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edasn.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edasa.ne.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersm.or.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edasq.ne.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.edasn.or.kr/usersdirectory/LoginFacebook.php\r\nhttp://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php\r\nLike other campaigns, the page's source code has injected a tag iframe, which in this case redirects to\r\nhxxp://109.95.114.251/us01d/in.php.\r\nThis page (in.php) redirection to:\r\nhttp://109.95.114.251/us01d/load.php\r\nhttp://109.95.114.251/us01d/file.exe\r\nhttp://109.95.114.251/us01d/xd/pdf.pdf\r\nhttp://109.95.114.251/us01d/xd/sNode.php\r\nFrom whom are trying to exploit some exploits: CVE-2007-5659, CVE-2008-2992, CVE-2008-0015 and CVE-2009-0927.\r\nThis server is also currently serving another massive campaign, but spreading the trojan ZeuS through a Scam\r\nIRS. In this case, just change the folder where the package is housed, namely: hxxp://109.95.114.251/usa50/in.php\r\nAs we see, Zeus does not stop at his criminal career. In fact, there are also other campaigns more active, such as\r\nthose involving a phishing attack by hiding under the VISA logo.\r\nhttp://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\r\nPage 2 of 4\n\nIn this case, other domains used are:\r\nhttp://reports.cforms.visa.com.edasa.or.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersq.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edase.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersq.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasq.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersm.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersw.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersa.or.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasn.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasa.ne.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.ersm.or.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasq.ne.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edase.ne.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasq.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasa.co.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasa.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edase.kr/secureapps/vdir/cholderform.php\r\nhttp://reports.cforms.visa.com.edasn.or.kr/secureapps/vdir/cholderform.php\r\nRelated information\r\nZeuS on IRS Scam remains actively exploited\r\nZeus and the theft of sensitive information\r\nLeveraging ZeuS to send spam through social networks\r\nZeuS Botnet y su poder de reclutamiento zombi\r\nZeuS, spam y certificados SSL\r\nEficacia de los antivirus frente a ZeuS\r\nSpecial!!! ZeuS Botnet for Dummies\r\nBotnet. Securización en la nueva versión de ZeuS\r\nhttp://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\r\nPage 3 of 4\n\nFusión. Un concepto adoptado por el crimeware actual\r\nZeuS Carding World Template. (...) la cara de la botnet\r\nFinancial institutions targeted by the botnet Zeus. Part two\r\nFinancial institutions targeted by the botnet Zeus. Part one\r\nLuckySploit, the right hand of ZeuS\r\nBotnet Zeus. Mass propagation of his Trojan. Part two\r\nBotnet Zeus. Mass propagation of his Trojan. Part one\r\nJorge Mieres\r\nSource: http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\r\nhttp://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html"
	],
	"report_names": [
		"facebook-phishing-campaign-proposed-by.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434621,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/54f92a9c558401204f4686176d49f66cffa7338e.pdf",
		"text": "https://archive.orkl.eu/54f92a9c558401204f4686176d49f66cffa7338e.txt",
		"img": "https://archive.orkl.eu/54f92a9c558401204f4686176d49f66cffa7338e.jpg"
	}
}