While no product protects against absolutely everything, a couple of technical support people here had links sent from their friends to their Facebook account, telling them to check out “Brunga. at”. (Do not visit this site right now to fill out login information, it will steal your credentials.)

Subject: Dan Shmoo sent you a message on Facebook…
Dan sent you a message.

Subject: Hello
“Check brunga.at”

Screenshot of the site here, notice the blue banner missing the logo:

After filling out authentication details that are then stolen, the user is then redirected to the real Facebook site.
Use your head and always be aware of the site’s url when entering authentication/login info. Careful of phishing attacks.

Sorry, folks, ThreatFire doesn’t protect you from phishing attempts like this one — it wasn’t designed to stop phish, and nothing at the software behavioral level looks malicious here. The times that we visited the active site, there was no malware delivered from brunga. However, there was an iframe at the bottom of the page redirecting the browser to a site that has been known to deliver LuckySploit exploit pages (updateserver. com, another site to avoid for now). Any successful LuckySploit attack is bound to deliver a barrage of various malware, recently including banking password-stealer Zbot, sophisticated spambots like Rustock, and various other custom-made keyloggers. This specific server is busy, malicious, and it has been involved in Live.com poisoning too. On a daily basis, ThreatFire is preventing these malformed-pdf based LuckySploit attacks in high numbers.

This entry was posted on Thursday, May 21st, 2009 at 12:29 pm and is filed under Crimeware, Exploit, FakeAlert, Password stealing. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.