Normally I get very annoyed with myself when I miss one of Chris Boyds blogs. This time however, I'm partially glad I did, as otherwise, I may have missed what I've just found.
Going over some of the stuff he found, I decided to do a bit more digging, and not only has franebook.com come back to life - the bad guys behind it have gotten themselves some new domains, all associated with a single name server - dark-dns-services.com;
franebook.com itself is only seemingly serving content via 2 URLs at present, though no doubt that will change in the near future;
index14.php as you see in the screenshot above (top left), is the phishing side of it. js.php contains the following bit of lovelyness;
Which decodes to (formatted for readability);
Did you see it? The lovely loading of a .tk site;
This goes on to load (in order);
So including pegasusstar.info and dancewithrico.info, the list now stands at (excluding the .tk site, and the sites you're redirected to such as jump.cttrk.com);
So far, the IPs associated with the newly created domains, along with the IPs for franebook.com, all appear to be residential IPs, leading to the likelyhood of it's being associated with a botnet (though that's speculation at present, I'm still checking). The IP details are;
dot.tk have now suspended weithajs2.tk.