Malicious Links

Hi All,

My dad had a friend send him a video through Facebook Messenger recently. He clicked on it and it led him to what looked like a Facebook login page. Of course it was not Facebook, and he gave his Facebook creds to the hacker. They used them to send more of the same messages from him to all his friends.

The reason that I’m posting this here is that the fake Facebook page was on https://4q(dot)lc. That appears to be a URL shortener for crankyads(dot)cc. Both have a valid cert owned by sni.cloudflaressl.com. The fake Facebook page has been removed since yesterday.

I am new to information security (I work in compliance) and am wondering if someone has some insight on how the malicious page got on that site? Not necessarily specific to this case, but generally how this happens. Just trying to learn more about what is happening in the real work in infosec.

Thanks!!

Cloudflare doesn’t investigate compromised servers, but you can file a complaint against malicious sites at cloudflare.com/abuse

I was wrong, the 4q(dot)lc Facebook login page is still there.

Thanks. Submitted.

I was mainly looking for info about how this happens. So, It is a compromised server/site that’s normally valid, not a entirely malicious site or a fake cert?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.