# New phishing campaign against Facebook led by Zeus **[malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html](http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html)** Updated 15.03.2010 New domains have been released and has multi-stage attack whereby you chain multiple websites with malicious content. The last download a binary called update.exe (19d9cc4d9d512e60f61746ef4c741f09) which is a variant of the trojan ZeuS, [which has a high detection rate.](http://www.virustotal.com/analisis/a0a27d131ed87ac8cd22f6c2b04c0f54711dec0e40625dc09efccae6882265ff-1268679120) The sequence is as follows: Original 14.03.2010 At this point the "circus", no doubt, as I always say, that ZeuS is the "creme de la creme" current on crimeware. Some time ago we warned about different campaigns where the employer, in all cases without exception, is the exploitation of social engineering to execute a fraudulent [component, and the goal is the theft of sensitive information.](http://malwareint.blogspot.com/2010/01/zeus-and-theft-of-sensitive-information.html) ----- Cases like the previous campaign by using the image of ZeuS Facebook and phishing [attacks using popular services such as primary coverage, including IRS,](http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html) [VISA,](http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html) Google and Blogger, among many others, are concrete examples that demonstrate what is the magnitude of the business ZeuS offers computer criminals. A few days ago, a new campaign to materialize from the hand of ZeuS, involving a large battery of malicious domains. Among them: downloads.legomay.com/id735rp/LoginFacebook.php downloads.legomay.net/id735rp/LoginFacebook.php downloads.legomay.org/id735rp/LoginFacebook.php downloads.megavids.org/id735rp/LoginFacebook.php downloads.migpix.com/id735rp/LoginFacebook.php downloads.migpix.net/id735rp/LoginFacebook.php downloads.migpix.org/id735rp/LoginFacebook.php downloads.modavedis.com/id735rp/LoginFacebook.php downloads.modavedis.net/id735rp/LoginFacebook.php downloads.modavedis.org/id735rp/LoginFacebook.php downloads.portodrive.org/id735rp/LoginFacebook.php downloads.reggiepix.com/id735rp/LoginFacebook.php downloads.reggiepix.net/id735rp/LoginFacebook.php downloads.reggiepix.org/id735rp/LoginFacebook.php downloads.regzapix.com/id735rp/LoginFacebook.php downloads.regzapix.net/id735rp/LoginFacebook.php downloads.regzapix.org/id735rp/LoginFacebook.php downloads.regzavids.com/id735rp/LoginFacebook.php downloads.regzavids.net/id735rp/LoginFacebook.php downloads.regzavids.org/id735rp/LoginFacebook.php downloads.restopix.org/id735rp/LoginFacebook.php downloads.restpictures.com/id735rp/LoginFacebook.php downloads.restpictures.net/id735rp/LoginFacebook.php downloads.restpictures.org/id735rp/LoginFacebook.php downloads.restway.net/id735rp/LoginFacebook.php downloads.restway.org/id735rp/LoginFacebook.php downloads.tastyfiles.net/id735rp/LoginFacebook.php downloads.vedivids.com/id735rp/LoginFacebook.php downloads.vedivids.net/id735rp/LoginFacebook.php downloads.vedivids.org/id735rp/LoginFacebook.php downloads.vediway.com/id735rp/LoginFacebook.php downloads.vediway.net/id735rp/LoginFacebook.php downloads.vediway.org/id735rp/LoginFacebook.php ----- auth.facebook.com.legomay.com/id735rp/LoginFacebook.php auth.facebook.com.legomay.net/id735rp/LoginFacebook.php auth.facebook.com.legomay.org/id735rp/LoginFacebook.php auth.facebook.com.megavids.org/id735rp/LoginFacebook.php auth.facebook.com.migpix.com/id735rp/LoginFacebook.php auth.facebook.com.migpix.net/id735rp/LoginFacebook.php auth.facebook.com.migpix.org/id735rp/LoginFacebook.php auth.facebook.com.modavedis.com/id735rp/LoginFacebook.php auth.facebook.com.modavedis.net/id735rp/LoginFacebook.php auth.facebook.com.modavedis.org/id735rp/LoginFacebook.php auth.facebook.com.portodrive.org/id735rp/LoginFacebook.php auth.facebook.com.reggiepix.com/id735rp/LoginFacebook.php auth.facebook.com.reggiepix.net/id735rp/LoginFacebook.php auth.facebook.com.reggiepix.org/id735rp/LoginFacebook.php auth.facebook.com.regzapix.com/id735rp/LoginFacebook.php auth.facebook.com.regzapix.net/id735rp/LoginFacebook.php auth.facebook.com.regzapix.org/id735rp/LoginFacebook.php auth.facebook.com.regzavids.com/id735rp/LoginFacebook.php auth.facebook.com.regzavids.net/id735rp/LoginFacebook.php auth.facebook.com.regzavids.org/id735rp/LoginFacebook.php auth.facebook.com.restopix.org/id735rp/LoginFacebook.php auth.facebook.com.restpictures.com/id735rp/LoginFacebook.php auth.facebook.com.restpictures.net/id735rp/LoginFacebook.php auth.facebook.com.restpictures.org/id735rp/LoginFacebook.php auth.facebook.com.restway.net/id735rp/LoginFacebook.php auth.facebook.com.restway.org/id735rp/LoginFacebook.php auth.facebook.com.tastyfiles.net/id735rp/LoginFacebook.php auth.facebook.com.vedivids.com/id735rp/LoginFacebook.php auth.facebook.com.vedivids.net/id735rp/LoginFacebook.php auth.facebook.com.vedivids.org/id735rp/LoginFacebook.php auth.facebook.com.vediway.com/id735rp/LoginFacebook.php auth.facebook.com.vediway.net/id735rp/LoginFacebook.php auth.facebook.com.vediway.org/id735rp/LoginFacebook.php ----- The folder Id735rp also contains kit phishing, ZeuS trojan, which in this case appears under the name photo.exe (19d9cc4d9d512e60f61746ef4c741f09). Even in the same URL format strategy is being used by another known crimeware: Phoenix Exploit Pack. Related information [Zeus and the theft of sensitive information](http://malwareint.blogspot.com/2010/01/zeus-and-theft-of-sensitive-information.html) [Facebook & VISA phishing campaign proposed by ZeuS](http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html) [New ZeuS phishing campaign against Google and Blogger](http://malwareint.blogspot.com/2010/02/new-zeus-phishing-campaign-against.html) [ZeuS on IRS Scam remains actively exploited](http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html) [Leveraging ZeuS to send spam through social networks](http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html) [ZeuS Botnet y su poder de reclutamiento zombi](http://mipistus.blogspot.com/2009/10/zeus-botnet-y-su-poder-de-reclutamiento.html) [ZeuS, spam y certificados SSL](http://mipistus.blogspot.com/2009/10/zeus-spam-y-certificados-ssl.html) [Eficacia de los antivirus frente a ZeuS](http://mipistus.blogspot.com/2009/09/eficacia-de-los-antivirus-frente-zeus.html) [Special!!! ZeuS Botnet for Dummies](http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html) [Botnet. Securización en la nueva versión de ZeuS](http://mipistus.blogspot.com/2009/06/botnet-securizacion-en-la-nueva-version.html) [Fusión. Un concepto adoptado por el crimeware actual](http://mipistus.blogspot.com/2009/06/fusion-un-concepto-adoptado-por-el.html) [ZeuS Carding World Template. (...) la cara de la botnet](http://mipistus.blogspot.com/2009/05/zeus-carding-world-template-jugando.html) [Financial institutions targeted by the botnet Zeus Part two](http://malwareint.blogspot.com/2009/03/financial-institutions-targeted-by_27.html) ----- [Financial institutions targeted by the botnet Zeus. Part one](http://malwareint.blogspot.com/2009/03/financial-institutions-targeted-by.html) [LuckySploit, the right hand of ZeuS](http://malwareint.blogspot.com/2009/02/luckysploit-right-hand-of-zeus.html) [Botnet Zeus. Mass propagation of his Trojan. Part two](http://malwareint.blogspot.com/2009/02/botnet-zeus-mass-propagation-of-his_22.html) [Botnet Zeus. Mass propagation of his Trojan. Part oneJorge Mieres](http://malwareint.blogspot.com/2009/02/botnet-zeus-mass-propagation-of-his.html) -----