Aggressor FU shuts down Fuckbook 2 spam

Fuckbook 2:

Fuckbook 2 works similarly to Fuckbook 1 spam. They first hack a wordpress site (in this case https://t.co/) puts in a redirect script.
Second they sent out worms that infects unsuspecting users PC sending out spam with  the redirect link (https://t.co/cTxrimZyot) .
The ultimate landing site is date4sex.top. Here is an example of the spam they sent:

This was the detail report sent to the ISP by Aggressor FU:

From: info@gobi.com.sg [mailto:info@gobi.com.sg]
Sent: 2017-06-05 9:17 AM
To: ‘FUCK EXPRESS’ <info@groundpound-graphics.com>
Cc: ‘abuse@joker.com’ <abuse@joker.com>; ‘postmaster@smart-ebizz.com’ <postmaster@smart-ebizz.com>; ‘jokerhostmaster@ldnet.dk’ <jokerhostmaster@ldnet.dk>; ‘abuse@publicdomainregistry.com’ <abuse@publicdomainregistry.com>; ‘brittenyapduanabm24@rediffmail.com’ <brittenyapduanabm24@rediffmail.com>; ‘abuse@rediff.co.in’ <abuse@rediff.co.in>; ‘abuse@rediffmail.com’ <abuse@rediffmail.com>; ‘customersupport@rediff.co.in’ <customersupport@rediff.co.in>; ‘noc@kenic.or.ke’ <noc@kenic.or.ke>; ‘abuse@kenic.or.ke’ <abuse@kenic.or.ke>; ‘baabak@gmali.com’ <baabak@gmali.com>; ‘abuse@web.com’ <abuse@web.com>; ‘mj58p34w9b5@networksolutionsprivateregistration.com’ <mj58p34w9b5@networksolutionsprivateregistration.com>; ‘abuse@networksolutions.com’ <abuse@networksolutions.com>; ‘aliahmed@nue-tel.com’ <aliahmed@nue-tel.com>; ‘abuse@reg.ru’ <abuse@reg.ru>; ‘contact@privacyprotect.org’ <contact@privacyprotect.org>; ‘abuse@privacyprotect.org’ <abuse@privacyprotect.org>; ‘abuse-contact@publicdomainregistry.com’ <abuse-contact@publicdomainregistry.com>; ‘abuse@twitter.co’ <abuse@twitter.co>; ‘questions@spamdex.co.uk’ <questions@spamdex.co.uk>
Subject: SPAM / Phishing Scam: Easily find girlfriend for sex!Dear Mail Admin: Spammer / Phisher for your action.<Alias1> You sent me a Fuckbook scam that diverts traffic to date4sex.top . These same scammers own hr1.link, erostare.com. They work in two ways: infect a wordpress site (outbreakclub.com), Infect a PC to send spam with a fake short link (t.co) to the infected site (outbreakclub.com) which then brings you to date4sex.top .  Scam count that we have tracked on our email address using Zifsoft Aggressor = 40 <Alias2>Scam sent via info@groundpound-graphics.com
———————————————————–
Please see header details:
Return-Path: <info@groundpound-graphics.com>
X-Original-To: info@gobi.com.sg <mailto:info@gobi.com.sg>
Delivered-To: x14518238@homiemail-mx34.g.dreamhost.com
Received: from mail.smart-ebizz.com (smart-ebizz.com [93.176.70.220])
by homiemail-mx34.g.dreamhost.com (Postfix) with SMTP id 3E12B6000A22D
for <info@gobi.com.sg>; Sun,  4 Jun 2017 17:07:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mail.smart-ebizz.com (Postfix) with ESMTP id 5A95648D1E;
Mon,  5 Jun 2017 01:29:30 +0200 (CEST)
X-Virus-Scanned: amavisd-new at smart-ebizz.local
Received: from mail.smart-ebizz.com ([127.0.0.1])
by localhost (mail.smart-ebizz.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7M+DvQ8H1gYg; Mon,  5 Jun 2017 01:29:28 +0200 (CEST)
Received: from outlook.com (unknown [115.13.156.37])
by mail.smart-ebizz.com (Postfix) with ESMTPSA id 3EC6748CBE;
Mon,  5 Jun 2017 01:29:20 +0200 (CEST)
Message-ID: <252096C5CE1A34F72B2E67DBDFB4DCC7@groundpound-graphics.com>
From: “FUCK EXPRESS” <info@groundpound-graphics.com <mailto:info@groundpound-graphics.com> >
To: <1574baea1@jsteletek.com>,
<or.milani@ospedale.lecco.it>,
<promotion@schottjapan.com>,
<donatopace@infinito.it <mailto:donatopace@infinito.it> >,
<beata.kaszo@bluebird-europe.at>,
<info@gobi.com.sg>,
<joerg.brunner@jysk.fr>
Subject: Easily find girlfriend for sex!
Date: Mon, 5 Jun 2017 02:29:23 +0300
MIME-Version: 1.0
Content-Type: multipart/related; boundary=”93f8740037c1dbee04fcc09096db”
X-Antivirus: Avast (VPS 170604-0, 04/06/2017), Inbound message
X-Antivirus-Status: Clean

 

———————————————————–
Spammer’s domain details:
Domain Name: smart-ebizz.com
Registry Domain ID: 1569207654_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.joker.com
Registrar URL: http://joker.com/
Updated Date: 2016-09-08T06:30:32Z
Creation Date: 2009-09-16T06:46:04Z
Registrar Registration Expiration Date: 2018-09-16T06:46:04Z
Registrar: CSL Computer Service Langenbach GmbH d/b/a joker.com
Registrar IANA ID: 113
Registrar Abuse Contact Email: abuse@joker.com
Registrar Abuse Contact Phone: +49.21186767447
Reseller: Aendre whois informationer paa domaenet
Reseller: http://whois.gratisdns.dk
Registry Registrant ID:
Registrant Name: – –
Registrant Organization: Smart-ebizz
Registrant Street: Hans Hedtoftsgade 5, 5tv
Registrant City: Koebenhavn S
Registrant State/Province: —
Registrant Postal Code: 2300
Registrant Country: DK
Registrant Phone: +45.40135235
Registrant Email: postmaster@smart-ebizz.com
Registry Admin ID:
Admin Name: – – –
Admin Organization: Larsen Data ApS
Admin Street: Vestergade 20 B, 2
Admin City: Koebenhavn K
Admin Postal Code: 1456
Admin Country: DK
Admin Phone: +45.46903232
Admin Fax: +45.46903234
Admin Email: jokerhostmaster@ldnet.dk
Registry Tech ID:
Tech Name: – – –
Tech Organization: Larsen Data ApS
Tech Street: Vestergade 20 B, 2
Tech City: Koebenhavn K
Tech Postal Code: 1456
Tech Country: DK
Tech Phone: +45.46903232
Tech Fax: +45.46903234
Tech Email: jokerhostmaster@ldnet.dk
Name Server: ns1.gratisdns.dk
Name Server: ns2.gratisdns.dk
Name Server: ns3.gratisdns.dk
Name Server: ns4.gratisdns.dk
Name Server: ns5.gratisdns.dk

 

93.176.70.220 (smart-ebizz.com)

Announced By
Origin AS       Announcement    Description
AS31027 ROA Signed and Valid93.176.64.0/18      Nianet A/S

 

———————————————————–
Spoofer’s domain details:

———————————————————–
Scammer’s domain details:
Domain Name: date4sex.top
Domain ID: D20170512G10001G_08766471-TOP
abuse@publicdomainregistry.com <mailto:abuse@publicdomainregistry.com>
Referral URL: http://publicdomainregistry.com
Updated Date: 2017-05-29T16:38:53Z
Creation Date: 2017-05-12T10:09:09Z
Registry Expiry Date: 2018-05-12T10:09:09Z
Sponsoring Registrar: PDR Ltd
Sponsoring Registrar IANA ID: 303
Registrant ID: di_67646932
Registrant Name: Helga
Registrant Organization: N/A
Registrant Street: Bergsgatan 13
Registrant City: Stockholm
Registrant State/Province: Stockholmslän
Registrant Postal Code: 10327
Registrant Country: SE
Registrant Phone: +46.2036521522
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: brittenyapduanabm24@rediffmail.com
Admin ID: di_67646932
Admin Name: Helga
Admin Organization: N/A
Admin Street: Bergsgatan 13
Admin City: Stockholm
Admin State/Province: Stockholmslän
Admin Postal Code: 10327
Admin Country: SE
Admin Phone: +46.2036521522
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Tech ID: di_67646932
Tech Name: Helga
Tech Organization: N/A
Tech Street: Bergsgatan 13
Tech City: Stockholm
Tech State/Province: Stockholmslän
Tech Postal Code: 10327
Tech Country: SE
Tech Phone: +46.2036521522
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: brittenyapduanabm24@rediffmail.com
Name Server: ns4.cxpqm.ru
Name Server: ns3.cxpqm.ru
Name Server: ns2.cxpqm.ru
Name Server: ns1.cxpqm.ru
Admin Email: brittenyapduanabm24@rediffmail.com
abuse@rediff.co.in <mailto:abuse@rediff.co.in>  (for rediffmail.com)
abuse@rediffmail.com (for rediffmail.com)
customersupport@rediff.co.in (for rediffmail.com)
domain: CXPQM.RU
nserver: dns1.cxpqm.ru. 197.254.20.218
noc@kenic.or.ke
Mail abuse issues should also be addressed to abuse@kenic.or.ke <mailto:abuse@kenic.or.ke>
nserver: dns2.cxpqm.ru. 185.104.192.205
phone:            +982122871564-5
e-mail:           baabak@gmali.com
nserver: dns3.cxpqm.ru. 196.29.186.6
abuse@web.com
mj58p34w9b5@networksolutionsprivateregistration.com
abuse@networksolutions.com <mailto:abuse@networksolutions.com>
nserver: dns4.cxpqm.ru. 87.236.142.110
aliahmed@nue-tel.com

name person: the Person of Private
registrar: RU-REGRU
admin-contact: abuse@reg.ru
Created: 2016-12-06T08: 45: 00Z
a paid-till : 2017-12-06T08: 45: 00Z
free-date: 01/06/2018

———————————————————–
Bait site’s domain details:
outbreakclub.com
Infected site: http://outbreakclub.com/wp-content/themes/salient/rnb_da3.php#eaxeamfeae
Domain Name: OUTBREAKCLUB.COM
Registry Domain ID: 2115358843_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com <http://www.publicdomainregistry.com>
Updated Date: 2017-04-17T19:14:45Z
Creation Date: 2017-04-17T19:14:44Z
Registrar Registration Expiration Date: 2018-04-17T19:14:44Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Domain Admin, C/O ID#10760
Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Registrant Street: PO Box 16
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
abuse@privacyprotect.org
Registry Admin ID: Not Available From Registry
Admin Name: Domain Admin, C/O ID#10760
Admin Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Admin Street: PO Box 16
Admin City: Nobby Beach
Admin State/Province: Queensland
Admin Postal Code: QLD 4218
Admin Country: AU
Admin Phone: +45.36946676
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: contact@privacyprotect.org <mailto:contact@privacyprotect.org>
Registry Tech ID: Not Available From Registry
Tech Name: Domain Admin, C/O ID#10760
Tech Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Tech Street: PO Box 16
Tech City: Nobby Beach
Tech State/Province: Queensland
Tech Postal Code: QLD 4218
Tech Country: AU
Tech Phone: +45.36946676
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: contact@privacyprotect.org
Name Server: ns1.sdserver127.com.br
Name Server: ns2.sdserver127.com.br
DNSSEC:Unsigned
Registrar Abuse Contact Email: abuse-contact@publicdomainregistry.com
Registrar Abuse Contact Phone: +1.201377595

https://t.co/r1uV1fC8pM
abuse@twitter.com <mailto:abuse@twitter.com>
Fast f*ck with milfs- https://t.co/r1uV1fC8pM
<https://t.co/r1uV1fC8pM>
bg tm i yt onvr ripa
zg i klpop b qtb vc
modtc iuchu iqy xi juxk xfjhh
igpz beaq aseg iwe ofru v
cxf e bsyw nikmu k emj
ichyn nqcr mnep mcfv ppwde vxar
dcn e haz dk qmmh g
gdpus ycz h frzu x igaw
nm qrsdo ydztv f hsdan ggnup
z wdsvz xsp gxni dlokt gk
shnsv wvo v ytg virk e
jl yan we jaqq bewyp fp
qy hlk ifjw wr v xyug
ipdy zanch yvv kes miae dr
byxm z rfcaj nbo lci jdp
tkmrf ac xr rngw suggh pl
yd wvsa do sxzx iks d
nd s h bp jehx u
k lhn ozd jjco ohyf vrm
cid tonvc iiku uh mcdnf y
v sbl xgk l gxvcq saptp
kzac f ots ihob jvb dhau
d cfl fpt aa yf ub
x nij cod gcove pdwd iwizq
vrrs fmt o dfn c esdu
wereq cj e iyko bqkog oo
bgc dtva jsg belcd tbnhf ckw
tpggb olr kp wqm f emb
no yaeo nfyz gfkh ffic edeiy
d h ak g dc vhs
nl r f olr hx dtudw
fjg xjonc t pqwv eenh pfmi
cpobg dpibv kg upf w ndmq
h cnj e ev henty fgzsx
nnkj o zmn qk pdsm oil
mp ato qex atmg jju yw
gm nd fenn taczn kcqkw mfmy
mulg zvc ifc p wja ukah
n nxxs vqjcf seo zrg hbt
uouv uvmoi mfe syaxl noary gsrkx
ls dj ntk c x nw
fj bnpi mku vwbym ru behfs
quuzw qz dyhcu ah uoy cm
ad fm cnesb jio u m
mnunr i r n lwa rt
lsonh tdh yrm zzkd hsk x
byom omqu huaz yron nx yj
sl yv irqsp lmpgq q cejvo
rzcj hksyf ziyb xafo yei nsu
d dw dehfj piyfm kl as
vgar ew tn vegaa x i
oh xngm ppvy ndzk aanvw hzqdg
hdyn blz isdde p yjov ibtwa
ftgda loy e wrtfd ckolf jzp
irq x yfsr minm ln jh
qpk vtz si pstes aoa npl
dywg nnpdf yfsnm k crsiz riazj
a ug lubcc mna hw oj
ef dmh w xl pn gm
tiejr c ybphl lviz nqflo wt
o yiy yjiz uazk lvai gdvv
ka y el yq nwp k
w lwye sgfqa ja q mztp
ytqp skyb umz iyb uczr dbvg
gzodv jc e mlml oobv wjtf
qinvm qx c l t m
kzaml mhy ai xg kedc fp
ifrt trdow vnp rpr ngay o
ku j t am flcz d
n kas apjjm dj m ez
i gz hxqc ha iiy wls
dczjq m fe hoyzl p lao
tranh gj qn rok oupz wg
s yu ku inlvo wss jof
dmxp jm j zd k v
ify v kwmpa i tv dnkr
tt gfld btvm upqzb xx mtarz
jxsnj uaxvd d ae szujf en
di mrhdy v q g h
tnuxi nxeo ljx vh uy valri
kodf lii ahmfk narm crabq xxqj
ufs pe oqwk qgapo tv zcbt
ii j bxud e da wudu
iqsic xwmkh h vwf ipqw fpjp
unh bz ha mvx fx cbwr
vl otdg y hwth zcb psrka
j q w dcd k ij
ypka cwkv sh tk so zrn
gf m g nrfj aj xroew
y rj di vam v t
insha qncb nmn q kajt j
mlkhi e pgtx m dpje mo
geb oh hsxez njyn biq iuem
euqwa siaj ecuu zbxup jnmxw g
qy arsl xx zgd dklbp gu
hnjkd g egp pz j h
y feb ezd rprkq nuqsv kg
tqsh alfrc i ib vrc k
ebmvp m yx p bamte rg
vran aehg n u erv gma
i rdw eagm q mcyph x
tgmd idvzg mtlvf fhhmh mmo bf
qmp tpy lpob rq r yfsvb
rd mp t w ghiz odho
Antispam by Zifsoft Aggressor. You can spam but you cant hide.
Our user do not need to unsubscribe to your mailing list as they did not subscribe to your list.
Please take them off your list immediately.

Aggressor FU also attaches all previous spams sent by the same source. The results is very effective. Shutdown of the landing site and spamming sources:

Aggressor FU shut down Fuckbook 1 with one report.

 

Fuckbook

1:

It took 89 reports to shut down Fuckbook 1. But within the 89 tries, two generation of Aggressor (Dimsum & Egghead) were developed to handle persistent spam.

Leave a Reply

Your email address will not be published. Required fields are marked *