Facebook phishing campaign serving ZeuS crimeware
A currently ongoing Facebook phishing campaign is not only attempting to phish fresh Facebook accounting data, but is also serving client-side exploits through a copycat web malware exploitation kit known as the Phoenix Exploit Kit.
More details on the campaign:
Subject: photos of sex with my new girlfriend
Message: i remember you asked me for photos of sex with my new girlfriend. Take the url: upload.malware.tld/vb073fl/
Upon clicking on the link, the user is redirected to the phishing page auth.facebook.com.malware.tld/vb073fl/LoginFacebook.php where a tiny iFrame attempts to exploit the following -- naturally outdated -- client-side vulnerabilities part of the kit's default setup:
- IE6 MDAC
- IE7 MEM COR onWindows XP/Windows Vista
- IE6/IE7 D SHOW
- MS Office Snapshot
- PDF Collab/printf/getIcon on Adobe Reader
- Firefox Embed
- Flash 9
- JAVA/JRE
- Flash 10 10.0.12.36 and 10.0.22.87
Both campaigns use the same iFrame client-side exploit serving domains.
Don't "take the URL" they're offering you, and ensure that you put basic security auditing practices into action - such as least privilege accounts; sandboxing; client-side flaws patching, and a well configured NoScript for Firefox users.