1

Brunga.at Facebook Phish

While no product protects against absolutely everything, a couple of technical support people here had links sent from their friends to their Facebook account, telling them to check out “Brunga. at”. (Do not visit this site right now to fill out login information, it will steal your credentials.)

Subject: Dan Shmoo sent you a message on Facebook…
Dan sent you a message.

Subject: Hello
“Check brunga.at”

Screenshot of the site here, notice the blue banner missing the logo:

After filling out authentication details that are then stolen, the user is then redirected to the real Facebook site.
Use your head and always be aware of the site’s url when entering authentication/login info. Careful of phishing attacks.

Sorry, folks, ThreatFire doesn’t protect you from phishing attempts like this one — it wasn’t designed to stop phish, and nothing at the software behavioral level looks malicious here. The times that we visited the active site, there was no malware delivered from brunga. However, there was an iframe at the bottom of the page redirecting the browser to a site that has been known to deliver LuckySploit exploit pages (updateserver. com, another site to avoid for now). Any successful LuckySploit attack is bound to deliver a barrage of various malware, recently including banking password-stealer Zbot, sophisticated spambots like Rustock, and various other custom-made keyloggers. This specific server is busy, malicious, and it has been involved in Live.com poisoning too. On a daily basis, ThreatFire is preventing these malformed-pdf based LuckySploit attacks in high numbers.

This entry was posted in The Law. Bookmark the permalink.

3 Responses to Brunga.at Facebook Phish

  1. Linda Armstrong says:

    Good advice!

  2. Beatrice says:

    So does it just hack our account and send the link to our friends? or does it do more?

    thanks!

  3. ThreatFire Blogger says:

    Hi Beatrice-

    We’re trying to figure out what, if anything, was successfully compromised from that LuckySploit server redirect, in addition to the authentication theft.

    The brunga site resulted in a straightforward facebook user/pass theft. Luckysploit most often results in much more malicious activity (banking pass theft) or the all too common Fakealert installs.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>