June 2008 Archives

As Keanu would say, "There's a bomb on the bus".

I mean, "Whoa". He might also have said "Excellent", but that was definitely the wrong film.

At any rate, here's an infection from China called "Agent.NEO", which probably has some deep seated relevance to the Matrix trilogy. Or maybe not. There aren't tons of screenshots of desktop fireworks, because by and large, this infection doesn't hit you with the pretty whiz-bang effects on your monitor. What it does do, however, is drop a ton of files onto your PC (many of which do strange things - here's a couple from various directories):



...slows everything down to a crawl, attempts to detect and disable security programs, contact a remote mail server with network sensitive data, hijack your IE:


Click to Enlarge

....and tries to show you a couple of Chinese popup ads (none of those pages were online at time of testing, otherwise there'd be multicoloured screenshots galore below).

I'm trying really hard to end this writeup with a really cheesy Matrix reference, but I can't think of any so in conclusion: avoid Agent.NEO at all costs (but watch the films again, they're awesome).

New Social Networking sites appear all the time nowadays, but I must admit to being at least faintly concerned about a new site currently in Beta called "Plazes" (spot the play on words).

There isn't a great deal of information on the site at present, but from looking at it, the whole concept seems to take the idea of Twitter - constant stream of information about your day to day business - then tie it up with software that seems to pinpoint your every move.

If I'm wrong, please tell me - but wow, this sort of creeps me out. Check out the main homepage:


Click to Enlarge

"Create activities to let your friends know what you are doing, when and where" reads the header. Below, you can see some kind of Google Maps integration with a specific location mentioned. "Automatically create activities and update your location", says a blurb next to a link for "The Plazer" software for your PC.

From what I can gather, the technology has been around since at least 1995 in the form of mobile phone applications and the like. Deciding to tie it into a Social Networking site would seem to be the next logical step, but I am concerned that taking so much detailed personal information (because really, you can't get anything more personal and detailed than your exact physical location) and wrapping it up into a "Social web-to-go" (as they call it), spells potential disaster when faced with users of social networking sites who will simply go "Oh wow" at the features without bothering to think of potential safety hazards.

Am I worrying over nothing? Or will people be so seduced by the clever technology that they won't stop to think that pasting their every movement to the web might not be the brightest of ideas?

There's a collection of credit card hack / generation tools currently in circulation, and apparently quite popular with the script kiddies. With programs seemingly dating back from 1995(!) up until the present day, there's something for everyone in this little bundle of "joy".

Here's what you'll see when the files have been unzipped:


The folders give dates from 2006 to 2008, though the dates of the included programs stretch back quite a way further than that. One of the programs inside the folders is dated as 2001:


As you can see, it's a fairly basic Credit Card generator / validation program. The rest of the programs are something of a mixed bag indeed, some of them don't actually work (not that I'm complaining). For the old school connoisseur, here's an ancient program going back to 1995:


Click to Enlarge


Click to Enlarge


Click to Enlarge

The most notable program included would probably be something called Credit Wizard, which seems to make up the majority of the bundle with updated releases in each folder:


Click to Enlarge

As you can see, it comes with most of the options of the other tools and also comes with an "Info Generator", which allows you to create fake names & addresses at the push of a button. There are a few URLs included in the zip which seem to point to Argentinian hacking sites, but as they all seem to be down, there's no way to verify if they distributed this collection or are just getting shout-outs from their friends. Either way, not the greatest thing to wake up to on a Monday morning...
Seen filling up mailboxes en masse....


Click to Enlarge

It goes without saying, but when people send you random EMails asking for the specifics of your login details.....just say no :)

Bizarre Forum Spam

| | Comments (0)
When SEO companies.....attack!


Click to Enlarge

I think someone needs to send the "Online Media Executive" back to online media executive school...
I've seen a few sites mention that they had to remove a Shoutbox recently due to people exploiting it in some way, shape or fashion. Curiously, while wading through the recent batch of 419 scams I happened to come across an IRS Phish which seemed strangely out of place.

Here's what the Phish mail looked like (promising a tax refund of $600+, naturally):


Click to Enlarge

Clicking the link doesn't take you to a fake IRS page - instead, you see this:


I decided to contact the site owner and see if he had any further information on what happened. A portion of his response said:

I was using ShoutPro 1.5.2. It looks like the attacker was able to exploit the shoutbox in some way because he created (or uploaded?) a number of files to the server. The most dangerous of these was a script called nsTView, which gave the attacker full access to all my files as well as the ability to run unix commands on my server. I got lucky.. since he was running the script from a subdomain, he was only able to actually access files within [URL REMOVED], though he was able to view file lists of files from any directory on my site, and maybe view them using shell commands.

...ouch. You can see an example of NSTView at work here, complete with screenshots (scroll down). As for the type of Shoutbox used, the version number given is significant.

The reason? Well, ShoutPro 1.5.2 has a known issue that was discovered back in 2007 which could allow potential attackers to inject and execute arbitrary code:


ShoutPro 1.5.2 fails to fully sanitize user input ($shout) that it writes
to the shouts.php file when adding a new message, this can result in the
injection and execution of arbitrary php code.


The vulnerability will in most cases allow an attacker to execute commands
on the system, the issue may be further perpetuated if the user has followed
the official documentation and chmoded the base folder to '777'

The question is, are the attackers responsible for the current crop of Shoutbox attacks using the above exploit, or something new? It seems odd that a whole bunch of people would suddenly decide to start using a year old vulnerability, but more information is thin on the ground at the moment.

A further complication is that ShoutPro is no longer maintained - all you can do is download the files and install as needed. Worse, if you go to the Download page, the current version available is.....you guessed it....


........whoops. If everyone is still downloading this version and there's potentially fresh exploits in circulation (with nobody to fix the issue in the ShoutPro code that's causing these hijacks), it's clear why so many people are currently being hit by this.

As the individual I contacted said:

Since the shoutbox caused the security hole, the only way to prevent further damages was to completely delete it.

To me, given the fact that there's no support for this product anymore, I think I'd have to heartily endorse that advice. If you're running a Shoutbox, make sure you know what kind of Shoutbox you're running, what version and if you consider the risk of what's happening above taking place on your website or server to be acceptable or not...
Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
A lot of wannabe hackers - kids, mostly - have the idea to set up a forum, then go running to the first free forum provider they can think of. In my experience, just because the host is free doesn't mean they'll automatically be a host that tolerates hackers, spammers and all the other nefarious characters out there (in fact, it was a free host that actioned the quickest takedown I've ever been involved in - from start to finish, something like four minutes in total).

Anyway, I see this on Myspace:


Click to Enlarge

When I arrived, the site had already been shut down but it's the page displayed that makes me curious:


Click to Enlarge

The above seems to suggest some sort of automated "blocking / flagging" system in place that runs on behalf of the people running the free forums. There's a little more information available on their frontpage, but other than that I can't seem to dig out much information on it. Anybody know anything else about Onlineguardian? Seems like a useful tool for forum providers...
Here's a strange one. Snopes has always been a website that helped to combat mass mail hoaxes. However, I've seen a few mails snowballing (with ever increasing CC lists) regarding a page on Snopes that talks about a real infection - namely, the Storm Worm. I'm all for spreading the word on infections going around, but as the emails talk about a "new threat incoming" (specifically, the title of the forwarded mail is "Subject: read this!Please read: Big Virus coming") when the Storm Worm has actually been around for some time, it seems almost perverse to be sending mass mails about a real infection from a website devoted to combating hoaxes and.....mass mails.

Even weirder, the content of the mail begins with the Storm Worm, but actually finishes with text from a certified, 100% hoax (as you'll see with my handy all-in-bold additions).

The full content of the mail reads as follows:

    Subject: read this!Please read: Big Virus coming

        Please read: Big Virus coming

        Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

        I checked Snopes (URL above:), and it is for real!!

(At this point, that would be correct - the  link does indeed point to an article on Snopes regarding the Storm Worm. However, it's all about to go horribly wrong).

        Get this E-mail message sent around to your contacts ASAP.


(The above suspiciously uses the required tone needed for fake EMail hoaxes to be passed around. It's almost like someone has done that on purpose, isn't it? At any rate, it all goes horribly wrong right....about.....now):

        You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD,' regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which 'burns' the whole hard disc C of your computer.

        This virus will be received from someone who has your e-mail address in his/her contact list. This is the reason why you need to send this e-mail to all your contacts It is better to receive this message 25 times than to receive the virus and open it.

        If you receive a mail called' POSTCARD,' even though sent to you by a friend, do not open it! Shut down your computer immediately.

        This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept .


(.....wait, what? We're suddenly talking about something entirely different. The above is taken from the "Invitation" hoax virus warning).

Interestingly, Snopes themselves have picked up on the fact that people are combining two (or in some cases three) different sets of information about one real virus and two hoaxes, and warn people to that effect at the bottom of this page:

"Readers should take particular care not to confuse the real postcard/greeting card virus with a number of virus-related hoaxes that have been circulating for several years. A variety of messages forwarded by well-intended people to warn others about the Postcard virus contribute to this confusion by including within them links to our article about the "Virtual Card for You" hoax (or by mistakenly incorporating elements from that hoax into their warnings). Other versions of the postcard virus warning erroneously combine it with elements of the Invitation virus hoax"


A chain letter supposedly related to a Guiness Book of Records attempt that has been sighted in various forms in 2006 ([1], [2]), 2003, 2002, 2001 and 1998(!) has resurfaced again, this time in one or more schools in the UK. While you might have seen the contents of the letter republished on various websites from time to time, this may well be the first time you'll see the actual letter complete with envelope! First off, here's the letter:


Click to Enlarge

Note the part where it says "You don't need a stamp but you must write Guiness Book of Records on the envelope to get the free postage on it".

Of course, it's all nonsense. What actually happens, is that the people the letter is sent to will receive a card through the door from their local post office depot telling them a package is being held and needs to be paid for. When they pay up, they'll see an envelope that says this:


Click to Enlarge

Note the "Deficient Postage" stamp, along with the total they have to pay.

Here's the back of the envelope (along with the list of previous recipients of the letter, which we've blanked out for obvious reasons):


Click to Enlarge

With a lot of chain letters, there is usually something involved to benefit the original sender in some way, be it financial or gathering of PII. However, in this case it appears to do little other than clog up the postal service and take a small amount of money away from every single person the letter is sent to. Anyone that receives this mail should do the sensible thing, and mail it directly to your paper shredder.
If there's one thing I hate, it's the amount of sites out there that ask people to hand over their login details for IM - usually they offer something in return (however awful) for allowing them to spam and promote their website via Instant Messaging, but in this case you don't even get that. In case you hadn't guessed yet, this is another site tied to the wonderful collection operated by TST Management, supposedly in Panama but actually having a hand in the tasty pie that is China.

Check it out, a colleague of mine was sent this yesterday:


Note how the uninvited spammer has the first part of their EMail address as the first part of the domain name they're linking to - presumably to make it look more like they're sending you a link to their personal homepage. Nice gimmick.

Anyway, click the link and you see this frankly bizarre, uh, "reinterpretation" of the real MSN Login screen:


Click to Enlarge

We're left to guess exactly what we're going to get in return for signing up. The MSN box says "Pics for MSN Friends" - however, enter your login details and....


No matter how many times you try to access this "service", you're told your login is wrong.

Bit peculiar. Even worse, look what appears in the bottom corner of the screen even as I'm being told my "login has failed":


Click to Enlarge

At the exact moment my "login has failed", I'm being told that I've mysteriously signed in to Messenger on another computer - presumably, trying to send spam promoting the site (though in this instance, my contact didn't receive any messages so maybe their system is on the blink).

At any rate, add imagegallerys(dot)info to the ever-growing list of sites related to this wonderful online venture...
There have been many changes to EBay recently, and because sellers can no longer leave negative feedback there is an increased desire to jump through hoops to satisfy the buyer. This is, as we shall see, something scammers are all too happy to exploit.

The first order of business is to hunt down auctions for items to heavy to post - and of course, usually the larger items go for a higher price too. Here's a typical example:


At this point, the scammer needs to do two things:

1) Ensure he wins the auction, and
2) Pay by Paypal extremely quickly so as not to give the seller time to remind them that the method of payment should have been (as requested) cash on collection (not that this matters too much, as you'll see later - doing so would only probably land the seller in more trouble).

Once the Payment has been made, it's so much hassle for the seller to reverse the payment and make the buyer (as they see it) do extra work and thus risk a random negative feedback mark, they'll usually just sigh and accept the payment method given.

Once this is all done, the buyer usually makes up some excuse as to why they can't collect the item and - importantly - ask if they can select a courier of their choice to pick up the item.

At this point, the "courier" turns up, collects the item and then "loses" it. The buyer then files a claim with Paypal to say they never received the item - Paypal will then likely settle in favour of the buyer, who promptly walks away with both item and money.

A similar situation to the example laid out above can be seen here. Effectively, this problem is on the increase because EBay want you to use Paypal whenever possible. As per a recent change to their terms and conditions, you have to offer Paypal as a payment option even in situations where you're selling items that are too heavy to post and cash on collection would be the only sensible (and more realistic) option:

"In line with the recent change requiring all listings on eBay.co.uk to offer PayPal.....This means sellers must not act in any way to discourage buyers from paying by methods that they offer in their listing."

Effectively, if someone wants to pay with Paypal on what would previously have been a "cash on collection" auction, they can do and the seller can't argue otherwise. As one poster here notes,

"Do ebay really believe if you sell a item for say ?300.00 a seller will take paypal and allow a collection?


The only choice a seller has is to NOT list expensive items on eBay which will be collected. That's the only way eBay will listen when enough sellers do exactly that."

On reflection, I think I'll just save myself some hassle and chop up the unused coffee table I have sitting in the corner....

Facebook Phish

| | Comments (0)
This is currently being posted to random walls on Facebook profiles via accounts that have been Phished:

"hello (name), watsup?? luk i want you to add ma new friend, as she is new here maybe you can give her lil time so she enjoys her online stay :P

her profile is at
[url removed] "

Of course, the (extremely long) URL posted is not the real Facebook, but in fact a site hosted in China. The domain has been up and down since yesterday, but the URL is at least flagged by Firefox:


Click to Enlarge

If you see e77c98037(dot)com anywhere on a Facebook page, turn around and run in the other direction.

Anyone logging into EBay at the moment will see this:


In addition, more detail is included in an email they're sending out to users which reads:

"We'd like to let you know about some new steps we're taking to help prevent fraudulent unauthorised activity on eBay accounts.

Later this summer, we'll begin checking the computer you use to list an item to see whether it's one of the computers you regularly use. If you list an item using a different computer (e.g. at a friend's house, in a hotel, at the library), we'll ask you to confirm that it's really you listing the item.

Confirming your identity is easy. We'll make an automated call to one of the phone numbers on your account - you can choose which one. If you can't receive a call at one of those numbers, you'll be able to add another number by answering your secret question, or verify your identity with us in Live Chat."

Could this help curb the rising tide of auction wreckers and hijacked accounts selling fictitious laptops? Time will tell...

We're getting reports that a few hours ago, Photobucket was "hacked" (I hesitate to use the term until we know the exact method used to have you see this when visiting Photobucket):


Click to Enlarge

The message is from "NeTDevilz", a Turkish hacking group. Photobucket is currently back online, though I've no idea if everyone's photographs have been restored yet. More as we get it..

/ Update - Okay, this is interesting. Nobody at Photobucket is saying anything about this, bar one solitary post on their forum.

"On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect."

They won't say anything more than that, but to be "temporarily redirected" to a Turkish Hacking groups page defacement due to an error in DNS hosting services is pretty, uh, unique? An interesting critique of the situation can be found here.

For your entertainment and amusement (along with a valuable helping of "what not to reply to"), here is another selection of recent 419 mails currently in circulation. Lots of winning lottery tickets, missing gold bullion, unclaimed African thrones and other random nonsense after the jump...
"...his phone rang, he answered - no one was there. He said he heard someone hang up, now the phone number was on the caller id so I called it back from my cell to see who was hanging up on my friend, but when I dialed the number I received a message saying this number has been disconnected.. we tried several times.

How can someone call from a disconnected line?

We also noticed that the number that made the call was my friends number just mixed up, that gave me the creeps him too. So the next day we both went to the Phone company.. this happened on a land-line...

We told our story and the woman went back to her station and talked to someone, came back and said it was a scam...and it had happened before. One detail that the phone company thought was interesting...they said the number that came up has never been used before as a persons number."

The above was sent to me by a friend asking for advice, and they kindly agreed to let me republish the above as a helpful warning not to get too worried by spoof calls. In all likelihood, the above was just a prank based around Caller ID spoofing. From the Wikipedia page:

Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient's caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered nefarious by the speaker. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people have tended to have in the caller id system, spoofing can call the system's value into question.

There are numerous websites and gadgets out there that can make the caller ID look like the recipient - however, I must admit taking the recipients numbers and jumbling them up is a new one on me. Anybody out there know if there's a program that can do this, or is it a case of someone having to know the targets full number in advance so they can rearrange it at leisure?

There are lots of sites out there that cater to a hacking / cracking audience. Some are better than others, some aren't as malicious as others, some encourage a little common-sense, some throw caution to the wind and are punished soon afterwards. A few develop a very large audience, and so I was vaguely surprised to see this when seeing if there was anything interesting going on today:


Click to Enlarge

Quite a few sites have been up and down recently - add one more to the pile, I guess. The bit that caught my eye was the reference to not wanting to spend six years in prison. A note of caution, or something more? This particular site has been under constant DDoS attack lately - perhaps the strain of dealing with issues such as those have taken their toll. Either way, this site has been one of the main players in the underground scene for a very long time, so it's rather odd to see it suddenly fall off the radar like this. I doubt the full story will come out - and sometimes, it's really better not to ask...

Sysda Act

| | Comments (0)
Oh hi there.  Apologies for the Whoopee movie reference, but its hard to come up with something catchy.  This latest threat coming through the Facetime Security Labs steals passwords related to chinese sites.  This is not really a threat to most businesses in the US, but judging from the malware trend coming from China and spreading to the rest of the world I'd say its only a matter of time before we start seeing the same method of theft.  The name of this new threat has been named SysdaSysda lies dormant until a certain site is navigated to.  This site is generally related to when a user attempts to change their password for the site.  After that it simply posts the information back to the attacker.  Users should be on the look out for a file called "sysdajchv.dll".  All it really needs is to hook into iexplore.exe to steal your user credentials. 

The above illustrates that Sysda is attempting to steal login credentials to Sohu.com.  Whether this is simply a new way to phish for information, or something more sinister along the lines of fraud are still unclear at this point.  I'll let you know what I found out.
A friend of mine happens to get about six million 419 EMails every week, so I thought it might be useful to post some up as examples of what's currently doing the rounds in the world of online scamming. There's a fair amount of text, so for your sanity, the email content is posted after the jump....
In which we take a random stroll through the offices of some of the research teams. We're spread across the globe, so I figure why not take a quick look around....

West Virginia:


Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge



Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge


Click to Enlarge

Does this mean I have to post up some shots of my workspace now? Okay, I guess it does. Expect an in-depth set of snaps in a few days (and thanks to Peter, Chris and Shaene for helping out with the pictures above!)

There I was on Youtube, and I happened to see the following advert:


Free Family Guy Cursors? Count me in! Clicking the advert takes you to the site underneath the image (Freefamilyguycursors.com):


Click to Enlarge

....hmm, I'm not seeing any free Family Guy action yet. The "Go to download page" button is also faintly alarming. Perhaps if I scroll down a little:


Click to Enlarge

Okay, that's an improvement...I guess. At least Family Guy is mentioned on the site. However, click any of the images and you're taken to another website:


Click to Enlarge

Cursormania.smileycentral.com is where I've ended up, and not a single Family Guy related item in sight at this point - only a page urging me to download and install a toolbar. Will I see something related to Family Guy if I continue?


Click to Enlarge


Click to Enlarge


Click to Enlarge

.....well, I now have a toolbar but I'm still no closer to seeing anything remotely related to Family Guy. After clicking some random buttons, the closest I got to it was this:


Of course, the domain promoting the "Family Guy" material is registered via Domains By Proxy so I have no idea who is running it. Hopefully IAC (who have spent a lot of time and effort addressing issues like this) will look closely at this one.

SoundBot Exploits Network Vulerabilities

| | Comments (0)
Hey there.  It is time for another thrilling adventure into the world of security threats.  This time I'll be going over a worm we like to call SoundBot.  This worm has the potential to leak sensitive information to the attacker about the victim's network infrastructure.  It manages to do this by not only blocking many of the security applications designed to detect it, but also by using legitimate processes that make removal difficult.

The main culprit in this infection is a file called Soundman.exe.  If you see this file on your computer don't panic just yet.  Its also a legitimate process.  Here are some things you should watch for:

One of the first things SoundBot does is disable any type of program that would detect or remove it.  It uses 2 separate methods to do this.  When installed, it disables several legit services related to security applications such as:

It also sets up Image File Execution Options to make sure if the processes are restarted they are ineffective.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe       
AND finally,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe    Debugger    "SoundMan.exe"

This shows us that Soundman.exe is ran instead of ctfmon.exe whenever executed.  This is an effective way of making sure the worm file is ran.  This effectively removes the need to have an Autostarter value (which are common investigative techniques used when attempting to pinpoint the actual infection in a forum environment).

soundman.PNG This is a closer look at the actual worm file.  Upon closer inspection of Soundman.exe we see that it is iterating through a common network structure looking for open ports.  This gives the attacker certain advantages when/if he ever decides to infiltrate the victim's network.

endpoint.PNGThe above picture depicts just exactly what is going on while Soundman.exe is running.  It makes ARP requests and epmap requests throughout the entire network looking for potential holes.

A malware infection  just wouldn't be a malware infection unless it phoned home to install numerous other infections.  Soundbot is no different.  It contacts a site to download a .jpg file that is no mere picture file.  It is actually collection of download links to more bad files.

The final blow to this worm is dealt by another file that poses as a legitimate process.  It creates a service called "helpsvc" related to another file that intializes soundman.exe.

Network administrators should look for any unnecessary or suspicious traffic happening on their network as explained above.  If you suspect your organization is under attack from this threat, then I suggest using our handy MicroScanner!

The trend for slick looking infection file creation programs continues, with a tool designed to make servers for Botnets. I love taking screenshots of the files sitting in folders waiting to be activated, so let's get that part out of the way first, shall we?


...ah, there we go! With that out of the way, let's take a look at the application:


As with all these tools, it's as idiot proof as possible - enter your desired server, port and room then hit "Create EXE". Job done, and one custom made Server.exe is ready to roll. Of course, the creator advises binding the newly created file to help avoid detection.

Update functionality? Yep, it has that too:


Finally, this is yet another hacking tool that comes with a "chat" feature (although it's not actually functional yet). The desire for integrating chat features into hacking tools is something I wrote about here, not so long ago. Perhaps this one will be used to brag about how big their Botnets are or something.

At any rate, we detect this as AutoBot.

<strong>Research Summary Write-Up</strong>: <a href="http://www.vitalsecurity.org">Chris Boyd</a>, Director of Malware Research
<strong>Additional Research</strong>: Chris Mannon, FSL Senior Threat Researcher
While testing the free proxy service Hidemyass.com (that lets you surf anonymously in return for advertisements) for a friend, I was faintly surprised to see the following appear in a pop up advert:


Click to Enlarge

Nothing much of interest there, granted. But what made it particularly surreal was the spoken soundclip that plays in the background, reading out the text of the popup box.

Perhaps if I gave the "single biggest reason" for wanting to leave the page as "annoying, intrusive voice clips playing in the background" they'd get the message....
I'll be writing a series of blogs looking at the problem of Myspace Trolling, which has long since gone beyond the point of no return. People who pretend to be Pirates - please, don't ask - use a combination of system glitches and general foulness to make the Myspace experience as unpleasant as they possibly can. Moderators and Forum Owners complain to Myspace all the time, seemingly to no avail - when are Myspace going to tackle this issue head on?

See the first writeup here. Subsequent articles will be found under this tag.

Two Point No

| | Comments (0)
As an avid fan of retro videogame systems, I spend a lot of time on EBay. One of the side benefits of using EBay so much, is that I regularly come across things like this, this and this. Highlighting these examples of online insanity is always useful to prevent people from being scammed. Indeed, even when hunting down a rare game console I can still find something that falls under the umbrella of "helping people to not lose money in a spectacular fashion", and then throw some light in its general direction. It all helps, and shows that even when you're off-duty, you're still on-duty, somehow.

Recently though, my ability to find (and then talk about) weird and not-so-wonderful things on EBay has run into a bit of a roadblock - sadly, that roadblock is EBay itself.

Previously, you'd type in what you're looking for, expand your search to Worldwide then throw in EBay stores too. It was the best possible way to uncover oddities that needed further exploration from around the globe - and the "worldwide" variable would stick around, so a rapidfire selection of searches could then ensue, from fake mobile phones to sellers listing 100 Wii consoles at a time (usually a sure sign of a hacked account or twelve).

Now? Oh dear, let's see what we have:

Click to Enlarge

Rounded edges...

Bright and colourful...

.....and a completely broken search feature. Every single time you look for something, you have to re-enter the "search worldwide" and "add shop" options because it no longer remembers that you've selected them. Hence, rapidfire searching (with a large set of different search strings and variables) becomes one long slog - especially as you're forced to enter additional information in a slow loading popup box.

Welcome to the wonderful world of Two Point No, where even the most functional of websites needs to be jazzed up with the numbers Two and Zero after it, just to look a little more impressive.

It might not actually work very well after the change, but I think that's only an incidental concern...

From the Skype Forums - someone was "fortunate" enough to have this come through their letterbox:

Click to Enlarge

It is (of course) a fake "So you've won the lottery" scam, but pushed through your letterbox as opposed your Inbox (and riding on the good name of Skype into the bargain). According to the thread, the Skype Fraud team have been notified.

About this Archive

This page is an archive of entries from June 2008 listed from newest to oldest.

May 2008 is the previous archive.

July 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.