- Myspace Phish Attack Leads Users to Zango Content
A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which seems to be directing end-users to a collection of Zango movies on a pornographic website. The Phish pages are hosted on compromised servers - presumably the people doing the hacking aren't particuarly brilliant at it, because they keep getting found out (an example of them being caught in the act can be seen here).
How does this attack work?
When this happens, the profile page is "infected" and pastes a fake overlay of options onto the profile page - the most serious of which is (of course) the fake login button. If your page has been affected, you will see a strange, blue navigation bar such as this on your page. If this is the case, you will need to clean out your profile and check if any of your friends have also been infected - if they are, you will continue to be reinfected...most likely via the friends list itself. We have seen reports of users complainiing that even when they've removed the fake navigation bar from their page, it comes right back if one of their friends is infected - so it looks like the friends list is being exploited in much the same way the Orkut worm used a similar feature to spread. Except in this case, the only option to fix the problem is get your friend to remove the infection code from their page, or remove your friend from your list indefinitely.
Going back to the fake login, if you enter your details, you have officially been Phished and your details will be used to spam any one of a number of messages including
'what else is there to do on a Sunday.?.......'
'You better not forget about this..'
'Hehe that was so funny..'
'better see this one last time lol..'
'omg did you see this last nite..'
'whos coming to the party tonight.?..'
However - that's not all there is to this attack, because you're not going to go to all this trouble unless there's the chance of making a quick buck at the same time. Along with the above messages, what appears to be a moviefile is pasted underneath the text. Of course, it's not a moviefile - it's just a random screenshot (hosted on Imageshack) of a pornographic scene:
Clicking the image will take you to a site called Vidchicks - as you can see from
this screenshot, the site contains numerous Zango videos (including a popunder that displays many more), and the sole purpose of this Phish attack seems to be to drive traffic to this content. Of course, the webmaster will profit for each piece of Zango Adware installed.
My colleague Wayne Porter has started to wade through the various mounds of information available to him in the E-Commerce space with regards this particular attack, and I can already say the results are extremely eye-opening. We'll be putting another writeup together on this one, looking at the money trails and financial aspects to this attack. In the meantime, you can see more information on this attack here (along with some extremely interesting information with regards who might be behind this). Just to summarise, we already have
1) A new Myspace worm
2) Bad guys using HREF functionality available to Quicktime files
3) Hacked websites hosting fake Myspace login details
4) A pornographic website (linked to from various hacked profiles) that contains Zango content, as well as using a popunder to display more Zango videos.
Once again, Zango find themselves tangled up in something they'd probably rather not have anything to do with. As for Myspace, it really needs to think about banning Quicktime movies from their site until something can be done about the HREF feature being exploited in this fashion. This one is spreading rapidly, and something tells me the people behind this won't quit unless the strong financial motivation on offer is removed...