Scammers abound Facebook and groups intending to broadcast the funeral services of a recently deceased person on video. Friends and family who follow links to streaming services are then asked to provide their credit card information. Recently, these scammers have joined in offering fake streaming services for almost any type of event advertised on Facebook. Here’s a closer look at the size of the scheme, and some findings about who may be responsible.
One of the scam funeral group pages on Facebook. Clicking to watch a “live stream” of the funeral takes the person to a newly registered website that asks for credit card information.
KrebsOnSecurity recently heard from a student named George who said that a friend had recently died, and he noticed that a Facebook group had been created in memory of that friend. The page listed the correct time and date for the funeral service, which can be streamed online by following a link to a page that asks for credit card information.
“After I posted through the portal, my friend appeared [the same thing] It happened to him when his friend died two weeks ago,” said George.
A Facebook/Meta search with a few simple keywords like “funeral” and “broadcasting” brings up dozens of Facebook funeral group pages, some of them for past services and some for upcoming funerals.
All of these groups include pictures of the deceased as their profile picture, and want to refer users to a few newly registered video streaming websites that require a credit card payment before one can proceed. What is even sadder is that some of these pages are asking for donations in the name of the deceased.
It is not clear how many Facebook users fell for this scam, but it is important to note that most of these fake funeral groups attract subscribers from at least some of the deceased’s followers, suggesting that those users signed up for the groups in anticipation of the broadcast service. It’s also unclear how many people end up missing a friend or loved one’s funeral because they think it’s being streamed online by mistake.
One of the similar looking landing pages for video streaming services linked to the Facebook scam funeral groups.
George said that their friend’s funeral service page on Facebook included a link to the service which was said to be broadcast live on livestreamnow[.]xyzdomain registered in November 2023.
According to DomainTools.com, the organization that registered this domain is called “apkdownloadweb,” is based in Rajshahi, Bangladesh, and uses the DNS servers of a Web hosting company in Bangladesh called. webhostbd[.]the net.
A search for “apkdownloadweb” on DomainTools shows three domains registered to this business, including live24 sports[.]xyz again streaming online[.]xyz. Both of those domains also used webhostbd[.]DNS net. Apkdownloadweb has a Facebook page, which shows a bunch of funny “live videos” of sports events that have taken place, and claims that its site is. apkdownloadweb[.]com.
Livestreamnow[.]xyz is currently hosted on a Bangladeshi web hosting provider named cloudswebserver[.]combut historical DNS records show this website also used DNS servers from webbustbd[.]the net.
Livestreamnow url[.]xyz is me 148.251.54.196to hosting giant Hetzner in Germany. DomainTools shows this same Internet address is home to nearly 6,000 other domains (.CSV), including hundreds that refer to video streaming terms, such as watchliveon24[.]com again foxsportsplus[.]com.
There are thousands of domains at this IP address that include or end with the letters “bd,” the top-level country code base for Bangladesh. Although many domains are related to e-commerce websites or blogs about IT topics, just as many contain a fair amount of proxy content (think “lorem ipsum” text on the “contact” page). In other words, the sites seem legitimate at first, but upon closer inspection it becomes clear that they are not currently being used by active businesses.
The idle DNS records for 148.251.54.196 show a surprising number of results that are two domain names joined together. For example, there is watchliveon24[.]com.playehq4ks[.]comshowing links to many funeral service streaming groups on Facebook.
Another integrated domain on the same Internet address — streaming24[.]xyz.allsportslivenow[.]com — lists dozens of links to Facebook groups for funerals, but also to nearly every type of event announced or posted by Facebook users, including graduations, concerts, awards ceremonies, weddings, and rodeos.
Even public events hosted by state and local police departments on Facebook are fair game for these scammers. A Facebook page maintained by police in Plympton, Mass. for a community event this summer called Plympton Night Out was quickly split into two separate Facebook groups informing visitors they could stream the festivities at any time. espnstreamlive[.]co or skysports[.]live.
WHO IS BEHIND THE FAKEBOOK FUNERALS?
Remember that you are a livestreamnow subscriber[.]xyz – a fake streaming site linked to a Facebook group of George’s late friend – was an organization called “Apkdownloadweb.” The background of that business — apkdownloadweb[.]com – registered in a Mazidul Islam in Rajshahi, Bangladesh (this site uses Webhostbd[.]net DNS servers).
Mazidul Islam’s LinkedIn page says he is the editor of a defunct IT blog called gadgetsbiz[.]com, which DomainTools found was registered to Mehedi Hasan from Rajshahi, Bangladesh.
To bring this full circle, DomainTools finds the domain name of the DNS provider for all the sites mentioned above – webhostbd[.]net – was originally registered in a Md Mehediand email address [email protected] (“MD” is a common abbreviation for Muhammad/Mohammod/Muhammed).
A search on that email address at Constella turns up a breached record from data broker Apollo.io that says the owner’s full name is. Mohammad Mehedi Hasan. Unfortunately, this is not a unique name in that region of the world.
But as luck would have it, sometime last year the admin of apkdownloadweb[.]com managed to infect his Windows PC with password-stealing malware. We know this because data logs stolen from this administrator’s PC were identified by the Constella Intelligence breach tracking service. [full disclosure: As of this month, Constella is an advertiser on this website].
These so-called “stealing logs” are mostly generated by opportunistic infections from information-stealing trojans sold on cybercrime markets. A typical set of logs for a compromised PC will include any usernames and passwords stored in any browser on the system, as well as a list of recent URLs visited and files downloaded.
Malware cleaners will often use secret malware by bundling it with “cracked” or pirated software titles. Indeed, apkdownloadweb admin hacker logs[.]com show this user’s PC was infected immediately after downloading the booby-trapped application development toolkit.
Those stolen details show Apkdownloadweb[.]com is maintained by a person from Dhaka, Bangladesh named 20 Mohammad Abdullah Khondokar.
The “browser history” folder from the Apkdownloadweb manager shows that Khondokar recently left a comment on Mohammad Mehedi Hasan’s Facebook page, and Khondokar’s Facebook profile says the two are friends.
Neither MD Hasan nor MD Abdullah Khondokar responded to requests for comment. KrebsOnSecurity also sought comment from Meta.
Source link