The 14 digit number varies.
permitfg.com Registrar: PAKNIC (PRIVATE) LIMITED
pmstdl.com Registrar: REGIONAL NETWORK INFORMATION CENTER, JSC DBA RU-CENTER [Client Hold]
downtohole.com Registrar: PAKNIC (PRIVATE) LIMITED
fileuplarc.com Registrar: PLANETDOMAIN PTY LTD.
The URL loads a spoofed Facebook login page complete with the Facebook favicon.
The page contains:
Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player.
If you click on the link to download "updateflash.exe" you are downloading the dangerous Zbot trojan. The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information.
A few samples from over 2000 I have seen in the past week
- Code: Select all
The domains run on the same botnet, too:
fileuplarc.com has address 126.96.36.199
fileuplarc.com has address 188.8.131.52
fileuplarc.com has address 184.108.40.206
fileuplarc.com has address 220.127.116.11
fileuplarc.com has address 18.104.22.168
fileuplarc.com has address 22.214.171.124
downtohole.com has address 126.96.36.199
downtohole.com has address 188.8.131.52
downtohole.com has address 184.108.40.206
downtohole.com has address 220.127.116.11
downtohole.com has address 18.104.22.168
downtohole.com has address 22.214.171.124
permitfg.com has address 126.96.36.199
permitfg.com has address 188.8.131.52
permitfg.com has address 184.108.40.206
permitfg.com has address 220.127.116.11
permitfg.com has address 18.104.22.168
permitfg.com has address 22.214.171.124