- Myspace Fake Profile Spammers: This Is How They Do It
A few weeks ago, we covered Spammers running riot on Myspace pushing ringtones and dating profiles. Have you ever wondered how Spammers go about their daily business? If so, you're in luck because it seems likely that we've pieced together the tools (and domains) used for this very wave of fake profiles.
It all started with a domain I'd been looking at for a few days, which touted a "Myspace Directory" containing numerous text files named after various sections on the typical Myspace profile - "Gender", "Interests", "Heroes" and "Movies", to name but a few:
Here's a Birthday file:
Here's a list of names:
Here's the name for the spam profile itself:
And, more tellingly, here's an image file - the profile picture for the spam account:
It doesn't take long to figure out that these different text files are values the Spammers use to populate their fake profiles. But how do they get that data into the fake profiles in the first place?
It all begins with a domain that (for some unknown reason) was left with the Spamming tools sitting on the frontpage of the site:
Thanks to a tip from my pal LoLo, I was able to grab the files and take a look inside. The domain hosting these files changes its content on a regular basis. Sometimes it serves you geotargetted adverts, other times it'll hand you an ad for a dating page (the picture of the girl with the laptop has been used on the majority of more recent spam that appears to come from the same group):
And (thanks to the magic of Google cache) we can even see the domain hosting a fake Myspace page:
The example above is overlaid with a redirect that takes you to more targeted adverts. For what it's worth, this particular kind of spam profile has been on Myspace since at least June 2007.
If we take a look inside the first zipfile, we see the following collection of files and folders:
Exploring those folders a little deeper (and faced with numerous .cs files), renaming some of them to .txt files....
....allows you to take a peek inside:
Once again, we see references to the most common categories on a Myspace profile. As you're about to see, this is hardly a coincidence. From the second zipfile:
"Myspace program.exe"? Shall we take a look inside the program before we fire it up?
Well, would you look at that. Not only is the domain with the "Myspace" folder referenced in the code, but (more importantly) all of the individual .txt files that relate to "Birthday", "Books", "Movies", "Interests", "Heroes"....they're all there. Shall we put it all together?
This is the tool that apparently makes it all happen. Note the entry box in the bottom right corner - from what we can gather, you enter the profile name you'd like for your Spam profile and hit Start - at which point, it checks out the information provided in the .txt files sitting on the domain, before attempting to contact another part of that website that allows it to create the spam profile on Myspace. At time of writing, the program doesn't seem to work due to a page missing on the domain hosting the spam profile information. Of course, they could bring the page back at any time, but for now, Myspace seems like it may be spared from more fake profiles selling ringtones, dating ads and free iPods.
For a couple of minutes, at least....
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher