# Facebook & VISA phishing campaign proposed by ZeuS **[malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html](http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html)** Updated 21.02.2010 More active domains belonging to the same phishing campaign against users of VISA. The domains are: reports.cforms.visa.com.desz.kr/secureapps/vdir/cholderform.php reports.cforms.visa.com.desz.ne.kr/secureapps/vdir/cholderform.php reports.cforms.visa.com.desz.or.kr/secureapps/vdir/cholderform.php reports.cforms.visa.com.ersm.kr/secureapps/vdir/cholderform.php reports.cforms.visa.com.edase.or.kr/secureapps/vdir/cholderform.php reports.cforms.visa.com.ersm.ne.kr/secureapps/ Original 20.02.2010 ZeuS has a fairly large repertoire with proposed strategies to Scam to spread their trojan and phishing attacks against banks, many companies and well known. [We have recently warned of a campaign Scam using as cover to the IRS, which has been](http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html) generating a long time but every so often is reactivated, forming a cycle that seeks to disseminate criminal ZeuS and that holds for all strategies. Now, once again active phishing campaign that involves Facebook. ----- The domains involved are: http://www.facebook.com.edase.or.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersm.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasn.ne.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.desz.or.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.desz.ne.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersq.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edase.co.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasq.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersw.co.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasn.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasa.ne.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersm.or.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasq.ne.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.edasn.or.kr/usersdirectory/LoginFacebook.php http://www.facebook.com.ersa.or.kr/usersdirectory/LoginFacebook.php Like other campaigns, the page's source code has injected a tag iframe, which in this case redirects to hxxp://109.95.114.251/us01d/in.php. This page (in.php) redirection to: http://109.95.114.251/us01d/load.php http://109.95.114.251/us01d/file.exe http://109.95.114.251/us01d/xd/pdf.pdf http://109.95.114.251/us01d/xd/sNode.php [From whom are trying to exploit some exploits: CVE-2007-5659,](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659) [CVE-2008-2992,](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992) CVE2008-0015 and [CVE-2009-0927.](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927) ----- This server is also currently serving another massive campaign, but spreading the trojan ZeuS through a Scam IRS. In this case, just change the folder where the package is housed, namely: hxxp://109.95.114.251/usa50/in.php As we see, Zeus does not stop at his criminal career. In fact, there are also other campaigns more active, such as those involving a phishing attack by hiding under the VISA logo. In this case, other domains used are: http://reports.cforms.visa.com.edasa.or.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersq.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edase.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersq.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasq.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersm.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersw.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersa.or.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasn.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasa.ne.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.ersm.or.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasq.ne.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edase.ne.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasq.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasa.co.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasa.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edase.kr/secureapps/vdir/cholderform.php http://reports.cforms.visa.com.edasn.or.kr/secureapps/vdir/cholderform.php ----- Related information [ZeuS on IRS Scam remains actively exploited](http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html) [Zeus and the theft of sensitive information](http://malwareint.blogspot.com/2010/01/zeus-and-theft-of-sensitive-information.html) [Leveraging ZeuS to send spam through social networks](http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html) [ZeuS Botnet y su poder de reclutamiento zombi](http://mipistus.blogspot.com/2009/10/zeus-botnet-y-su-poder-de-reclutamiento.html) [ZeuS, spam y certificados SSL](http://mipistus.blogspot.com/2009/10/zeus-spam-y-certificados-ssl.html) [Eficacia de los antivirus frente a ZeuS](http://mipistus.blogspot.com/2009/09/eficacia-de-los-antivirus-frente-zeus.html) [Special!!! ZeuS Botnet for Dummies](http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html) [Botnet. Securización en la nueva versión de ZeuS](http://mipistus.blogspot.com/2009/06/botnet-securizacion-en-la-nueva-version.html) [Fusión. Un concepto adoptado por el crimeware actual](http://mipistus.blogspot.com/2009/06/fusion-un-concepto-adoptado-por-el.html) [ZeuS Carding World Template. (...) la cara de la botnet](http://mipistus.blogspot.com/2009/05/zeus-carding-world-template-jugando.html) [Financial institutions targeted by the botnet Zeus. Part two](http://malwareint.blogspot.com/2009/03/financial-institutions-targeted-by_27.html) [Financial institutions targeted by the botnet Zeus. Part one](http://malwareint.blogspot.com/2009/03/financial-institutions-targeted-by.html) [LuckySploit, the right hand of ZeuS](http://malwareint.blogspot.com/2009/02/luckysploit-right-hand-of-zeus.html) [Botnet Zeus. Mass propagation of his Trojan. Part two](http://malwareint.blogspot.com/2009/02/botnet-zeus-mass-propagation-of-his_22.html) [Botnet Zeus. Mass propagation of his Trojan. Part one](http://malwareint.blogspot.com/2009/02/botnet-zeus-mass-propagation-of-his.html) Jorge Mieres -----