It happens to every Facebook member. A message appears with a link to a website. You click it, it looks like Facebook, it feels like Facebook. You enter your login ID and password and you have just fallen victim to Facebook phishing.
It can happen so easily. It is early in the morning. I bring up Facebook and see a message from a friend. He is recommending I check out a photo. I click the URL and the next thing I am asked by Facebook is to enter my ID and password. I had been moving around a lot recently and I have more than one Facebook account. No doubt my password was not cached for this site. I entered my password and clicked “Next”, presenting a picture that made absolutely no sense. I was suckered.
So let’s trace this venture step-by-step.
How is a Phishing Attack Investigated?
The message from my friend did not present a photo, but a web address (or URL). So my first stop is the photo’s URL. There is a useful tool that you can use called WHOIS where you can check on who owns a web address. Using WHOIS I came up with this information:
https://photo.c7y0.quest – an unregistered domain.
Welcome to the Dark Web – so-to-speak.
“Domains” are the name you see in the website name. In this case, it is c7yo.quest. Domains need to be registered because they are protected property, just like a trademark. It helps guarantee that when you click on that site, it will direct you to an IP address that you can trust.
But domain naming servers can be generated on anyone’s computer and they typically collect forwarding data from nearby servers, self-generating a listing of websites and correlating IP addresses. So is this the case here? To find out, I use two tools. The nslookup command (available on both Linux and Windows) and WHOIS.
>nslookup photo.c7y0.quest
Server: modem
Address: 192.168.0.1
Non-authoritative answer:
Name: photo.c7y0.quest
Address: 45.14.224.236
As you can see, the nslookup command produced an IP address for photo.c7yo.quest. So even though the domain is unregistered, the DNS servers around the world have collected enough data on the site to present where it is based.
Using WHOIS, a match for the IP address is discovered.
inetnum: 45.14.224.0 – 45.14.224.255
netname: SpectraIP-customers
descr: SpectraIP B.V.
country: NL
admin-c: SA35974-RIPE
tech-c: SA35974-RIPE
status: ASSIGNED PA
mnt-by: SpectraIP
created: 2019-06-28T15:05:21Z
last-modified: 2019-06-28T15:05:21Z
source: RIPE
role: SpectraIP B.V.
address: Bruynvisweg 11
address: 1531AX
address: Wormer
address: NETHERLANDS
org: ORG-SB523-RIPE
nic-hdl: SA35974-RIPE
mnt-by: SPECTRAIP-MNT
created: 2015-12-01T00:12:31Z
last-modified: 2021-11-10T12:38:14Z
source: RIPE # Filtered
abuse-mailbox: abuse@spectraip.nl
SpectraIP is a web-hosting operation, once again in the Netherlands.
Another tool is AbuseIPDB, a website where subscribers can report basic forensic data on suspected activity. I typed in the above IP address (45.14.224.236) to see if it is reporting any other activity. It came up with nothing.
Next, analyze the URL.
photo.c7y0.quest comes up empty as a literal search. But a non-literal search will produce numerous hits because “photo quest” is a common term for photo collection sites. Facebook even has one.
Next, a closer look at the page.
Hmm – just one line of code.
<html><style>body{margin:0}</style><body><script src=”https://crtea01.com/h/mneudy/?api=1&lan=gb5dt&ht=2″ type=”text/javascript” async=”true”></script></body></html>
So the page is generated from a Javascript that is located at crtea01.com. That domain is registered, albeit anonymously.
Domain: crtea01.com
Registrar: Realtime Register B.V.
Registered On: 2022-07-14
Expires On: 2023-07-14
Updated On: 2022-07-14
Realtime Register is a domain registration site located in the Netherlands.
So while the actual location of the suspect is not clear, we do know that the website hosting and the domain registration was channeled through the Netherlands.
So what about crtea01.com?
>nslookup crtea01.com
Server: modem
Address: 192.168.0.1Non-authoritative answer:
Name: crtea01.com
Addresses: 2a02:4780:b:627:0:3333:e0aa:1
156.67.68.226
A trace of the IP address (156.67.68.226) shows it is owned by
org-name: Hostinger International Limited
country: CY
org-type: LIR
descr: Hostinger International Ltd.
address: 61 Lordou Vyronos Lumiel Building, 4th floor
address: 6023
address: Larnaca
address: CYPRUS
Hostinger International is another webhosting service based out of Cyprus. Using WHOIS, I discover that crtea01.com is registered under Realtime Register as well and particulars about the registrant are anonymous.
So we have two webhosting sites to consider in this hoax. My guess is that it is only the beginning.
Lessons Learned
- Everyone can be tricked.
- Note the psychology behind the trick. By coincidence, only two days before I was going through old junior high school pictures stowed in a box in the attic. I am back in my hometown, seeing friends. It is early in the morning. Haven’t had my coffee. A message comes in over Facebook from a high school buddy. Checkout this old photo. Without thinking, I click it.
- I actually entered my password!
- But then Firefox flagged the redirection, posting a warning. That got my attention.
- I closed the tab (page)
- I immediately changed my password in Facebook.
The important lesson to learn is the value of multi-layered security.
- My Facebook password is unique to Facebook. It is not used anywhere else. If my password was compromised in this episode, it would only have affected access to the Facebook account and not my bank or credit card.
- I only use Facebook on a computer – so phone data was never a concern
- The browser is important. Firefox provided two support elements. First, the password is stored in a virtual vault. So I have been using highly complex passwords stored in that vault. For users of the Facebook app on their phones, switching to browser-based Facebook provides an added layer of protection depending on how you take advantage of your browser’s security features. Some of you may be familiar with password “wallets” that you can install on your phones and work just as well.
- In my case the browser provides protection against questionable websites. What probably triggered the warning was a combination of an unregistered domain and a short script that redirected to another site. Mozilla (Firefox’s parent company) no doubt has its own database of questionable websites.
In case you are wondering how all this works over multiple devices, I have Firefox running on all my devices, which covers two Linux systems, Windows and two Android devices. The Firefox settings and the password vault are synchronized over all those devices through Mozilla.
What About Your Friend Who Was Obviously Hacked?
An investigation of this sort can clearly determine if your friend has been hacked. Sometimes it does not take a technical investigation. It may simply be out of character. When you observe this, follow these steps.
- Tell your friend
- Remind them that all they need to do is change their password
- They do not need to delete their account and create a new one
- Introduce them to the Facebook Safespace.
Should I Report This?
There was a time when I would have encouraged people to report incidents, and you see in many places where people are provided links to report suspicious activity. But I have never been impressed with their responsiveness. I will report activity under some circumstances, but I rarely receive a response.
When you do a WHOIS request, you will see there is a place to report abusive activity. Using the example above, you can see there is a link for SpectraIP: abuse@@spectraip.nl. You can post your findings in an email.
Facebook has a quick and easy mechanism as well. I encourage you to read “Facebook – Impersonated Accounts.” Clicking the link will move to the section on how to report an incident.