I came across a rather intruiging domain whilst investigating a case - fadebook.info.
The domain obviously set off alarms due to the obvious similarity to fadebook.info, and when deciding to look at it, wasn't expecting very much, just the usual phish if anything. However, upon closer inspection, it surprised me a little - it wasn't a facebook phish at all - it was something else.
When first loading fadebook.info, you see internal traffic, suggesting it's loading pictures (one of which, is the image shown top left - nice touch, not sure LE will like it though) and whatnot, the same way other sites do. Alas no, it actually redirects to /stacy/, which displays the following bit of lovelyness;
What you may have noticed, is the usual Facebook notification dialog, which is obviously a carbon copy of the one you see at Facebook - don't be surprised though - they've actually lifted the dialog from Facebook (apparently our little scammers couldn't be bothered to immitate that). This leads us on next, to /iq/, which as you've guessed from the images so far, has one purpose - to get us to take the IQ test it so desperately wants us to go to.
Perhaps not surprisingly, it doesn't take us there directly - oh no. This little fellow wants us to go through some ad servers first - yummy. First Zedo, then TrackLead.net, then jmpads.com, until finally, we reach the phish err, IQ test, itself - cellrow.com.
The full redirection, for those interested, is (Fiddler log: fadebook.info_-_Fiddler_Log.saz);
But hang on - our dear fadebook.info does something else aswell. Remember the issues raised concerning like.php? If you look at the source code for /stacy/, you'll notice the lovely hidden iFrame that loads;
Oh dear, looks like Facebook are no closer to sorting this one out (they were notified a while ago about the issues with this file, and said they were "aware of it" and were working on it, but I've heard nothing since). Getting back to the IQ test, let's see what they've got in store for you shall we?
We're already familiar with what an IQ test is actually for, but in this case, it's something else we're looking for. You'll notice it states;
But I smell a rat here - something just isn't right. We already know what they're going to charge you, or at least, what they say they're going to charge you - but are they telling the truth? Of course not.
See something different? You should do - they're going to charge you a £9 "joining fee". Do yourself a favour, just compare the following "terms", taken from the second screenshot, to the first lot of terms;
You can access the second one, by right clicking any of the "answers" on the first, and opting to open it in a new tab (that's all I did), or of course, directly with the following;
cellrow.com incase you're wondering, is owned by mobileservicedesk.com (also owns health-md.info), which was registered via GoDaddy, and has connections to fake meds (not surprising). Both sites live at 220.127.116.11 (18.104.22.168/21 BBBJ48559::SAGONETWORKS, LLC AS29802 via Cogent).
cellrow.com itself, is living at 22.214.171.124, which I'm sure you'll already recognize, as being SoftLayer IP space. Just like the rest of SoftLayers IP space, 126.96.36.199/24 is a range I'd strongly urge you blackhole (sorry SoftLayer, but you should've been shut down years ago, and I'm not going to stop until you either are shut down, or drastically change).
The domains running the IQ scam itself, are all hidden with Domains By Proxy (I'll be reaching out to GoDaddy concerning those), but fadebook.info shows (it's faked of course - but you already knew that);
Surprised to see afraid.org making an appearance? Nope, me neither, they're a little of a favourite amongst the criminal fraternity.