December 2007 Archives

Laziest Spam Ever

| | Comments (0)

I guess the people behind this missive were too full of Xmas leftovers or something, because instead of plastering links all over the place, they're letting the forum regulars do all the hard work instead:

super_lazy_spam.jpg

That's right, YOU'RE supposed to "provide details" of XRumer (King of Spamming programs), which is sort of ironic considering the forum spammer likely used XRumer to post these messages in the first place.

http://blog.spywareguide.com/upload/2007/12/xrumakthebest-thumb.jpg
Click to Enlarge

231,000 results for the guy posting the spam message? I guess we can see XRumer really does work, though that's not exactly comforting....

Here's an interesting spam gimmick - do a search for something in Google / Yahoo / whatever:

http://blog.spywareguide.com/upload/2007/12/flickr_stock_spam_search-thumb.jpg
Click to Enlarge

.....meanwhile, the bad guy has stuffed a bunch of keywords into a Flickr screenshot page, then inserted one of those wonderful stock trading spam messages into the screenshot area. When people arrive at his Flickr page, they see this:

http://blog.spywareguide.com/upload/2007/12/stock_spam_flickr70-thumb.jpg
Click to Enlarge

....awesome. In fact, this particular profile is stuffed to bursting point with keywords galore leading to yet more trading spam...

http://blog.spywareguide.com/upload/2007/12/stock_spam_flickr_two-thumb.jpg
Click to Enlarge

......and a pile of Viagra / cheap software garbage, too:

http://blog.spywareguide.com/upload/2007/12/final_flickr-thumb.jpg
Click to Enlarge

What site will the spammers ruin next?

Word Of The Year

| | Comments (0)

It's always a little quiet with regards interesting spyware stories at this time of the year - probably because the bad guys are taking a three week break from hacking, phishing and cracking while they eat gigantic turkeys on their luxury cruise liners in the Bahamas or whatever - so here's a little missive that caught my eye this morning.

According to this (rather surreal) press release, Merriam-Webster has selected "W00t" as Word of the Year.

My question is - what took them so long?

Hear some of my thoughts on the recent spate of Myspace hacks here (direct download), courtesy of SCMagazine.

Too Much, Too Soon?

| | Comments (0)

There's a lot of new social networking sites out there nowadays, with new ones popping up all the time. Not so long ago, Zubby.com was launched with the following message from founder Randy Zlobec:

"Although it's obviously a great success, I think the problem with MySpace is the amount of advertising it has given itself over to," Zlobec states when asked why he started Zubby.com. "Many of my friends have a MySpace account and the one thing we all agree on is the frustration of logging on to find out you have 30 new messages from people you don't know, trying to sell you a magic pill or similar! Also, there are all the adverts that take up all your page space, not to mention the amount of times accounts have been hacked. With Zubby, we aim to change all that and more."

As I was one of the first people to register there, I've seen emails get fired out regarding what's going on in the network, and it seems that as time goes by, Zubby has to sadly face facts - eventually, all the problems that plagued someone else come and plague you, too.

Here's a mail from the 27th of November:

http://blog.spywareguide.com/upload/2007/12/27th-november-thumb.jpg
Click to Enlarge

....a simple warning about placement of adverts. And then, a few days later, another message entitled "First member banned from Zubby.com":

http://blog.spywareguide.com/upload/2007/12/30th-november-thumb.jpg
Click to Enlarge

...does this sound like a miniaturized version of Myspace yet? Then, on the Second of December, we have a mini spam invasion on the network:

http://blog.spywareguide.com/upload/2007/12/2nd-december-thumb.jpg
Click to Enlarge

....it doesn't take long for the bad guys to start exploiting the system, does it? Eventually, it really is a case of too much, too soon and on the 11th of December, they haven't anticipated exactly how many people were going to register on the site:

http://blog.spywareguide.com/upload/2007/12/11th-december-thumb.jpg
Click to Enlarge

Whoops.

I'm already starting to sink in an Ocean of "30 messages from people I don't know", and friend invites from people called "Cash" and "UProfit" who have profiles like this:

http://blog.spywareguide.com/upload/2007/12/cashcrate-thumb.jpg
Click to Enlarge

....with not a lot else on them but gigantic pictures of cheques and endless promises regarding how much money you're going to make.

It seems the sad reality is that for anyone running a social networking site, any and all attempts to avoid incidents such as the above are totally, and utterly, doomed to failure. Am I being too negative here? Or is that a fair assessment of these sites?

justin1.jpg

...a charming bulletin. And here's his page from a few hours ago:

http://blog.spywareguide.com/upload/2007/12/justin2-thumb.jpg
Click to Enlarge

...Tesla, running wild.

I couldn't imagine a crazier way to get yourself some attention from the hacking crew you want to join than taking out one of the biggest "phenomenons" on Myspace then following it up with the Hilary Duff music page, but there you go. The page content doesn't appear to have had anything malicious placed on it, but the individual behind the hacks couldn't resist sending out a few bulletins.

tila_1.jpg

Here's a few versions of the hacked page:

http://blog.spywareguide.com/upload/2007/12/tila_2-thumb.jpg
Click to Enlarge

Note that Tila is extremely popular on Myspace, and has 241,4669 friends. In fact, she's one of the top three music profiles on all of Myspace:

http://blog.spywareguide.com/upload/2007/12/tila_most_popular-thumb.jpg
Click to Enlarge

If the hacker had placed something malicious on the page......Houston, we'd have a problem.

Finally, the motivation behind the attack is revealed:

http://blog.spywareguide.com/upload/2007/12/tila_3-thumb.jpg
Click to Enlarge

Check out the text at the bottom of the screen:

"Well my names Tesla I like to hack I think Tilas a hottie and uh I wanna join team Kryogeniks!"

Sadly for Tesla, I don't think he'll be getting a membership card through the door anytime soon because if we jump over to the Kyrogeniks website (handily provided for us via the content of the bulletin sent out from the hacked Hilary Duff account):

tila_4.jpg

....we find that Tesla might not be the flavour of the month on the Kryogeniks board:

http://blog.spywareguide.com/upload/2007/12/tila_5-thumb.jpg
Click to Enlarge

I'm sure he didn't include getting their forum canceled in his plan for Internet stardom, but oh well. Shall we take a look around and see what we can find? Let's start with a cached version of their forum:

http://blog.spywareguide.com/upload/2007/12/kyro1-thumb.jpg
Click to Enlarge

In all honesty, there's not a lot there - a few mentions of "phish pages needed" and the usual cracks / hacks. Let's keep looking - wait, do we have something on Digg.com? Sure looks that way:

kyro2.jpg

"Seems to have been hacked"? I'd be more impressed, if the user who submitted the story didn't share his username with the site being given shout-outs in the bulletin. Sigh. Nothing like a little self publicity, I guess. Turning our attention back to Tesla, we can see he's a noob on their forum:

http://blog.spywareguide.com/upload/2007/12/kyro4-thumb.jpg
Click to Enlarge

...but other than that, not a lot is known about him at this point.

/ Addendum - We've just discovered that Justin Timberlake had his page compromised in the same way by Tesla.

I'll update this blog entry with more information as it comes in...

Today we came across a considerable collection of stolen credit card details - somewhere in the region of 150 seperate pieces of data - posted to a fairly typical Warez forum. The odd thing about it was that the poster didn't really come across as a professional carder - more like someone who happened to stumble across a stockpile of sensitive information and was now trying to distribute it as quickly as he could.

A clue that this might be the case was that the formatting of the data was fairly irregular - normally carders post all their information in a very uniform fashion - here, you could see at least three distinct types of data, some containing nothing more than card details while others contained (amongst other things) name, address, PIN number, phone number and (more worryingly) a "receiver address", as if information had been lifted directly from a back-end payment system.

card_theft_2.jpg

A final clue that the poster might not be a professional carder? Well, the big giveaway is that he happily posted all this information with a huge photgraph of himself for a signature picture and his location listed under his forum avatar.

Can't say I've seen that before.

The majority of victims appear to be based in the United States - there is discernable pattern to the victims, nor is it currently possible to tell what sites were compromised to obtain the data (if any). Of course, we tried to contact some of the victims to let them know to cancel their cards (as far as we could see, all cards are valid until at least next year) but so far, we've had no success.

Extensive searching on the information contained in the forum posts - and it seems to be well hidden underground, even though the poster says to "use them quickly because they're being used by other people too" - turned up no obvious reveals, save for one solitary Email address listed in the data. The Email address took us to a pro carding forum - apparently offline now - where someone was offering up a small sample of private data, with a purchase price of $30,000 to 50,000 dollars for "UK and US bank logins".

Could someone have bought this data then accidentally dumped it into a public directory somewhere? Unlikely, as everyone would now have a copy - but it seems that somewhere, somehow, a professional carder has made a big mistake....

About this Archive

This page is an archive of entries from December 2007 listed from newest to oldest.

November 2007 is the previous archive.

January 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.