Skip to content

EricN Publications

Publications by Eric Niewoehner

Menu
  • Non-Fiction
    • The Garden of the Gods
    • A God Thing
    • Oakland
      • Old Buildings Can be Creepy
      • Food for Thought
      • Dust in the Wind
      • The Arc of Travel
    • Iconium
    • Thinking Out Loud
    • Old Friends
      • The Ideological Origins of the American Revolution
        • Sources and Traditions
        • Power and Liberty
        • The Logic of Rebellion
        • A Note On Conspiracy
        • Transformation — From Reaction to Revolution
        • The Contagion of Liberty
      • The Road to Serfdom
        • Introductions — Or Before You Begin
        • The Road Once Traveled
        • Are You A Nazi?
        • Are You A Socialist?
        • Individualism
    • Lessons Learned
    • The Pandemic Journal
    • When Few Were Watching
    • The Advent Conspiracy
      • What’s Missing
      • Cash Only Please
      • Worship Fully
      • Give More
      • Christmas — It’s a Tide, not a Day
  • Fiction by Eric Niewoehner
    • The Jesus Chronicles
  • Technology Publications
    • Technology Blogs
    • The Facebook Safe Space
    • Technical Documentation
      • Welcome to DOGland
      • Windows 10 and Computer Vision Syndrome
      • Sustainable Printing
    • The Tech Community
    • Introducing Substack and Locals.Com
  • Contact
  • About
Menu
Phishing -- Who hasn't been baited?

Facebook Phishing — Have You Been Hooked?

Posted on March 31, 2023April 1, 2023 by Eric Niewoehner

It happens to every Facebook member. A message appears with a link to a website. You click it, it looks like Facebook, it feels like Facebook. You enter your login ID and password and you have just fallen victim to Facebook phishing.


Sample Phishing attack in Facebook Messenger

It can happen so easily. It is early in the morning. I bring up Facebook and see a message from a friend. He is recommending I check out a photo. I click the URL and the next thing I am asked by Facebook is to enter my ID and password. I had been moving around a lot recently and I have more than one Facebook account. No doubt my password was not cached for this site. I entered my password and clicked “Next”, presenting a picture that made absolutely no sense. I was suckered.

So let’s trace this venture step-by-step.

How is a Phishing Attack Investigated?

The message from my friend did not present a photo, but a web address (or URL). So my first stop is the photo’s URL. There is a useful tool that you can use called WHOIS where you can check on who owns a web address. Using WHOIS I came up with this information:

https://photo.c7y0.quest – an unregistered domain.

Welcome to the Dark Web – so-to-speak.

The Dark Web

“Domains” are the name you see in the website name. In this case, it is c7yo.quest. Domains need to be registered because they are protected property, just like a trademark. It helps guarantee that when you click on that site, it will direct you to an IP address that you can trust.

But domain naming servers can be generated on anyone’s computer and they typically collect forwarding data from nearby servers, self-generating a listing of websites and correlating IP addresses. So is this the case here? To find out, I use two tools. The nslookup command (available on both Linux and Windows) and WHOIS.

>nslookup photo.c7y0.quest
Server: modem
Address: 192.168.0.1


Non-authoritative answer:
Name: photo.c7y0.quest
Address: 45.14.224.236

As you can see, the nslookup command produced an IP address for photo.c7yo.quest. So even though the domain is unregistered, the DNS servers around the world have collected enough data on the site to present where it is based.

Using WHOIS, a match for the IP address is discovered.

inetnum: 45.14.224.0 – 45.14.224.255
netname: SpectraIP-customers
descr: SpectraIP B.V.
country: NL
admin-c: SA35974-RIPE
tech-c: SA35974-RIPE
status: ASSIGNED PA
mnt-by: SpectraIP
created: 2019-06-28T15:05:21Z
last-modified: 2019-06-28T15:05:21Z
source: RIPE

role: SpectraIP B.V.
address: Bruynvisweg 11
address: 1531AX
address: Wormer
address: NETHERLANDS
org: ORG-SB523-RIPE
nic-hdl: SA35974-RIPE
mnt-by: SPECTRAIP-MNT
created: 2015-12-01T00:12:31Z
last-modified: 2021-11-10T12:38:14Z
source: RIPE # Filtered
abuse-mailbox: abuse@spectraip.nl

SpectraIP is a web-hosting operation, once again in the Netherlands.

Another tool is AbuseIPDB, a website where subscribers can report basic forensic data on suspected activity. I typed in the above IP address (45.14.224.236) to see if it is reporting any other activity. It came up with nothing.

Next, analyze the URL.

photo.c7y0.quest comes up empty as a literal search. But a non-literal search will produce numerous hits because “photo quest” is a common term for photo collection sites. Facebook even has one.

Next, a closer look at the page.

Hmm – just one line of code.

<html><style>body{margin:0}</style><body><script src=”https://crtea01.com/h/mneudy/?api=1&lan=gb5dt&ht=2″ type=”text/javascript” async=”true”></script></body></html>

So the page is generated from a Javascript that is located at crtea01.com. That domain is registered, albeit anonymously.

Domain: crtea01.com
Registrar: Realtime Register B.V.
Registered On: 2022-07-14
Expires On: 2023-07-14
Updated On: 2022-07-14

Realtime Register is a domain registration site located in the Netherlands.

So while the actual location of the suspect is not clear, we do know that the website hosting and the domain registration was channeled through the Netherlands.

So what about crtea01.com?

>nslookup crtea01.com
Server: modem
Address: 192.168.0.1

Non-authoritative answer:
Name: crtea01.com
Addresses: 2a02:4780:b:627:0:3333:e0aa:1
156.67.68.226

A trace of the IP address (156.67.68.226) shows it is owned by

org-name: Hostinger International Limited
country: CY
org-type: LIR
descr: Hostinger International Ltd.
address: 61 Lordou Vyronos Lumiel Building, 4th floor
address: 6023
address: Larnaca
address: CYPRUS

Hostinger International is another webhosting service based out of Cyprus. Using WHOIS, I discover that crtea01.com is registered under Realtime Register as well and particulars about the registrant are anonymous.

So we have two webhosting sites to consider in this hoax. My guess is that it is only the beginning.

Lessons Learned

  • Everyone can be tricked.
  • Note the psychology behind the trick. By coincidence, only two days before I was going through old junior high school pictures stowed in a box in the attic. I am back in my hometown, seeing friends. It is early in the morning. Haven’t had my coffee. A message comes in over Facebook from a high school buddy. Checkout this old photo. Without thinking, I click it.
  • I actually entered my password!
  • But then Firefox flagged the redirection, posting a warning. That got my attention.
  • I closed the tab (page)
  • I immediately changed my password in Facebook.

The important lesson to learn is the value of multi-layered security.

  • My Facebook password is unique to Facebook. It is not used anywhere else. If my password was compromised in this episode, it would only have affected access to the Facebook account and not my bank or credit card.
  • I only use Facebook on a computer – so phone data was never a concern
  • The browser is important. Firefox provided two support elements. First, the password is stored in a virtual vault. So I have been using highly complex passwords stored in that vault. For users of the Facebook app on their phones, switching to browser-based Facebook provides an added layer of protection depending on how you take advantage of your browser’s security features. Some of you may be familiar with password “wallets” that you can install on your phones and work just as well.
  • In my case the browser provides protection against questionable websites. What probably triggered the warning was a combination of an unregistered domain and a short script that redirected to another site. Mozilla (Firefox’s parent company) no doubt has its own database of questionable websites.
Firefox Logo
Firefox Logo

In case you are wondering how all this works over multiple devices, I have Firefox running on all my devices, which covers two Linux systems, Windows and two Android devices. The Firefox settings and the password vault are synchronized over all those devices through Mozilla.

What About Your Friend Who Was Obviously Hacked?

Facebook Logo with Safe Space
Facebook Safespace

An investigation of this sort can clearly determine if your friend has been hacked. Sometimes it does not take a technical investigation. It may simply be out of character. When you observe this, follow these steps.

  • Tell your friend
  • Remind them that all they need to do is change their password
  • They do not need to delete their account and create a new one
  • Introduce them to the Facebook Safespace.

Should I Report This?

There was a time when I would have encouraged people to report incidents, and you see in many places where people are provided links to report suspicious activity. But I have never been impressed with their responsiveness. I will report activity under some circumstances, but I rarely receive a response.

When you do a WHOIS request, you will see there is a place to report abusive activity. Using the example above, you can see there is a link for SpectraIP: abuse@@spectraip.nl. You can post your findings in an email.

Facebook has a quick and easy mechanism as well. I encourage you to read “Facebook – Impersonated Accounts.” Clicking the link will move to the section on how to report an incident.

Return to Facebook Safespace
Share on Social Media
twitter facebook linkedintelegram email

Related

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

EricN Publication Logo
  • Facebook page for EricN Publications
  • LinkedIn page for EricN Publications
  • Twitter page for EricN Publications

Recent Posts

  • Keeping Score – Solving the Problem of Fake Accounts
  • The Trials of Alaska Communications (ACS)
  • Big Tech Cancellation: The Case of the Racist Doorbell
  • Who Was William L. Parker?
  • Facebook and Death

Trending Posts

Historical Top Reads


Welcome to DOGland

Sustainable Printing

Spam Update

Computer Vision Syndrome

Technical Documenation

E-Mail: A Method to the Madness

Windows 10 and CVS

The Tech Community

Advent Conspiracy

Fiction

Categories

  • A God Thing
  • Advent Conspiracy
  • Alaska
  • Bernard Bailyn
  • Documentation
  • Economics
  • Education
  • FA Hayek
  • Facebook
  • Faith
  • Fiction
  • History
  • Jesus Chronicles
  • Lessons Learned
  • Life
  • Missouri
  • Non-Fiction
  • Oakland
  • Old Friends
  • Pandemic Journal
  • Politics
  • Security
  • Social Media
  • Tech Blogs
  • Technology
  • Thinking Out Loud

Archives

  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • September 2021
  • August 2021
  • July 2021
  • April 2021
  • February 2021
  • January 2021
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • November 2018
  • August 2018
  • April 2018
  • February 2017
  • November 2016
  • October 2016
  • July 2016
  • February 2016
Copyright Notice

All articles are copyrighted material from Eric Niewoehner.

© 2023 EricN Publications | Powered by Minimalist Blog WordPress Theme