Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« The Free Myspace Viewer - Beware! | Main | European Mailer Society (FEDMA) Warns Against Spyware Use »

  • Myspace Phish Attack Leads Users to Zango Content

A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which seems to be directing end-users to a collection of Zango movies on a pornographic website. The Phish pages are hosted on compromised servers - presumably the people doing the hacking aren't particuarly brilliant at it, because they keep getting found out (an example of them being caught in the act can be seen here).

How does this attack work?


It begins with a Quicktime file being embedded in a Profile page. If the user "runs" the file (simply visiting the infected page is enough to trigger the attack in most cases), it uses the HREF function to activate some javascript. HREF? Let's take a quick look at the Quicktime website:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

Allowing Javascript from a movie file....whoops.

When this happens, the profile page is "infected" and pastes a fake overlay of options onto the profile page - the most serious of which is (of course) the fake login button. If your page has been affected, you will see a strange, blue navigation bar such as this on your page. If this is the case, you will need to clean out your profile and check if any of your friends have also been infected - if they are, you will continue to be reinfected...most likely via the friends list itself. We have seen reports of users complainiing that even when they've removed the fake navigation bar from their page, it comes right back if one of their friends is infected - so it looks like the friends list is being exploited in much the same way the Orkut worm used a similar feature to spread. Except in this case, the only option to fix the problem is get your friend to remove the infection code from their page, or remove your friend from your list indefinitely.

Going back to the fake login, if you enter your details, you have officially been Phished and your details will be used to spam any one of a number of messages including

'what else is there to do on a Sunday.?.......'
'You better not forget about this..'
'Hehe that was so funny..'
'better see this one last time lol..'
'omg did you see this last nite..'
'whos coming to the party tonight.?..'

Users who have been tricked into using the fake domain login also report that the Quicktime movie is randomly embedded into their "about me" and / or "movies" section, thus ensuring the spread of this worm continues (because of course when activated, the HREF function will run the Javascript and overlay the profile page with the fake navigation bar).

However - that's not all there is to this attack, because you're not going to go to all this trouble unless there's the chance of making a quick buck at the same time. Along with the above messages, what appears to be a moviefile is pasted underneath the text. Of course, it's not a moviefile - it's just a random screenshot (hosted on Imageshack) of a pornographic scene:

zangphish2small.jpg

Clicking the image will take you to a site called Vidchicks - as you can see from
this screenshot, the site contains numerous Zango videos (including a popunder that displays many more), and the sole purpose of this Phish attack seems to be to drive traffic to this content. Of course, the webmaster will profit for each piece of Zango Adware installed.

My colleague Wayne Porter has started to wade through the various mounds of information available to him in the E-Commerce space with regards this particular attack, and I can already say the results are extremely eye-opening. We'll be putting another writeup together on this one, looking at the money trails and financial aspects to this attack. In the meantime, you can see more information on this attack here (along with some extremely interesting information with regards who might be behind this). Just to summarise, we already have

1) A new Myspace worm
2) Bad guys using HREF functionality available to Quicktime files
3) Hacked websites hosting fake Myspace login details
4) A pornographic website (linked to from various hacked profiles) that contains Zango content, as well as using a popunder to display more Zango videos.

Once again, Zango find themselves tangled up in something they'd probably rather not have anything to do with. As for Myspace, it really needs to think about banning Quicktime movies from their site until something can be done about the HREF feature being exploited in this fashion. This one is spreading rapidly, and something tells me the people behind this won't quit unless the strong financial motivation on offer is removed...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Supplemental Research: Wayne Porter, Senior Director Special Research


  • Comments

plese let myspace be on this computer pease


I think I may have been infected by the myspace virus, but what is happening to me isnt listed in your post. Whenever I try to post a bulliten or a blog it wont let me. The screen turns white and in the upper lefthand corner there is a series of 4 or 5 letters and numbers. Different each time I try to post something. Do I need to clean out my profile and start again?


Hi,

You provide the most informative article about the Myspace trouble. Now I realize it is worse than I though it is. Stay you say: "The screen turns white and in the upper lefthand corner there is a series of 4 or 5 letters and numbers." Isn't that the anti spam number that you should enter before posting?

If you use mozilla firefox the page won't display well sometimes so you may want to try IE7.

Karl


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.