September 2009 Archives

There's a website called

megasecuredownload.com

currently being spammed across Youtube (about 300 or so movies at the moment), targeting lots of different groups randomly (so far we've seen script kiddies, videogamers, MMORPG fans and more besides).

In a nutshell, if you like to do stuff, there's probably some of that "stuff" mentioned in one of their videos.

Visit the website, and you see this:

Megasecuredownload.com, originally uploaded by Paperghost.

What they've done isn't entirely a new idea, but clever regardless - a fake set of antivirus scan results claiming the file is free of infection (a quick bit of scripting makes it appear that the scan results are from today's date, whatever that might happen to be).

Download and run the file (called X-Force Generator) and you're opening yourself up to a bunch of nasties, despite what the fake scans above claim.

Here's some results from VirusTotal (there's a low detection rate for this at the moment, so be careful), ThreatExpert and Comodo. Some of the sites referenced when the file installs (scarlettartsgallery.com, redbullarts.com and myfoundryart.com) are mentioned in this blog post (scroll down to the bottom, the main body of text is unrelated to this file) which ties them to various Zbot hijacks and autostart worms.

In all probability, if you run the file you'll eventually end up with an altered desktop warning you that your system "might be infected". We're still looking into this one, but we'd advise you to steer clear.
Fake Youtube pages are normally the domain of fake media codecs and other scams. Here, we have two examples (hat-tip to Steven Burn of the hpHosts Blog and the Ur I.T. Mate sites for pointing these out to me) that promise the ability to view naughty movies online - yes, just like the fake media codec sites - but serve up something a little different.

The sites in question are evideofreak.com and videoguidez.com. Visit either, and you'll see something like this:


Fake player ahoy, originally uploaded by Paperghost.

Randomly selected images of people indulging in rudieries appear down the right hand side, and a fake video (complete with star ratings, view counts etc that has clearly been ripped directly from Youtube) sits in the middle, claiming you can see the goodies within if you install "Dream Media Player". Hover over the video, and you'll see the download URL at the bottom of the image which happens to be

preview.licenseacquisition.org/196/1056417821.10121/dmp.exe

Licenseacquisition.org is a domain that's been home to Zango installers for many years (now owned by Pinballcorp.com, who took them over when they went boom not so long ago). Do you think we might see files that have a Zango-ish feel to them once the install is complete?

Well...

Setup, originally uploaded by Paperghost.

Seekmo, also owned by Pinballcorp. In this case, you do actually get something to play with once the install is over - besides Seekmo and ShopperReports - in the form of this bizarre radio / TV streaming program:

DMP, originally uploaded by Paperghost.

However, the program in no way allows you to watch any of the promised movies on either of the above sites, due to the fact that they don't exist.

Another scam, pure and simple with promises that simply don't materialise once the install is done and dusted. What's particularly alarming here is that after a (relatively) quiet period of Zango not showing up in screwball installations, they seem to be popping up and more in recent months.

I don't think I can recall seeing a Zango / Seekmo file popping up on a fake Youtube video page before, so someone definitely needs to tighten things up in the "crazy affiliate" department.
A while ago we wrote about multiple friend requests made on the XBox Live network with the aid of PC based spamming tools. Well, if you try any of those shenanigans now you'll see this:

blockstopped1.jpg
Click to Enlarge

I'd call that a result!

"Download unlimited movies with Emule", it says on the front of emuledownload.org.

Fakey Mc Fake Pants, originally uploaded by Paperghost.

Hover over the image that launches the executable download and you see this in your browser:

mlz2.jpg

"emule.exe". Of course, anybody hitting download isn't going to get a copy of Emule. Hit the link, and you'll see this:

mlz3.jpg

Yes, a file from the Pinballpublishernetwork. You know, the guys who bought the still twitching corpse of Zango. Now, I don't know about you but anytime I see something promised in return for Zango it has a tendancy to go horribly wrong. I'm sure that won't be the case here, tho -

mlz4.jpg
Click to Enlarge

...wait, Hotbar? Where is my copy of Emule?

On the bright side, you now have an awesome doohickey in your System tray that tells you the weather.

mlz5.jpg

That's better than being given what you were promised, right?

...it's not? Oh.
A number of underground websites have come up with a fun "game", which involves defacing websites then changing the frontpage to look like this:

fbiunderz.jpg
Click to Enlarge


This website is under investigation


This web site belonged to a recently prosecuted criminal and is being used as a tool in an investigation to catch online criminals.

Your IP xxxxxxxx has been logged. Your ISP, xxxxxxxxx will be contacted, your contact information subpoenaed, and you may be personally contacted by a FBI agent.


There's a handy, ready-to-roll kit for site defacers to upload once they've hijacked a site - helping you pretend to be law enforcement without any pesky delays:

fbiunderz2.jpg

Of course, there are a few clues that seeing the above shouldn't place you into a frenzy of panic - most notably, the typo ("and you may be personally contacted by a FBI agent"). Even better than that, we know Law Enforcement don't place silly warnings on websites that might have been defaced or tangled up in hacking. That would just muddy waters and confuse everybody.

Right?

Move along, nothing to see here...

Gamertag Exploit Rumbles On

| | Comments (0)
Back in August we reported that individuals were changing their usernames in gaming sessions to impersonate Microsoft staff and game developers, grabbing login details from unsuspecting victims. It seems the problem is not only taking place, but now comes with an interesting addition - the hackers have now found a way to play on the XBox Live network for free while using the above exploit.

Whoops.

The "playing for free" thing is a new one on me, but I'm a little surprised Microsoft haven't fixed the ingame namechanging yet - this has left users open to social engineering for a number of weeks now. Fingers crossed they put this one to bed for good...
This is a developing story worth keeping an eye on.
Remember these guys?

Well, they're back on Twitter, and they've ditched random pictures of peoples faces - instead, they now use cute little bird graphics, presumably to make you think they're somehow official or related to Twitter itself. Examples...

fktwtbrdgjb.jpg

fktwtbrdgjb2.jpg

fktwtbrdgjb3.jpg

fktwtbrdgjb4.jpg

There's a lot of these profiles around at the moment - ignore / block the lot of them and hope Twitter gets a grip on this fresh wave of spammers...

/ Update: According to comments left on the blog, the images are the new default "auto image" for profiles that don't have a picture. However, the same rule applies: Anyone promoting "Google hiring" messages should be blocked / reported. I've also replied to criticism of this entry here.

PSN Account Stealer

| | Comments (0)
Not sure if I've seen one of these before, but it had to happen eventually. Following on from fake XBox point generators and Wii scams, here comes a Playstation Network Prepaid Card Adder.

Or as they put it, "Prepaide". Terrible spelling aside, if you're ever sent the program on the left hand side of the below screenshot, don't run it.

psnstlr1.jpg

You won't get free money, but you will have your account details stolen, courtesy of the building tool on the right which sends your login to the GMail account of whoever sent you the file.

Is it time for me to say "avoid"? I think it is.
When you see an advert like this one, you know it's going to lead you on a merry dance:

dsbleadblck0.jpg

Sure enough, click it and you'll arrive at

onlinemoviesfree.com

where somebody has turned out the lights IF you happen to be running adblock software:

dsbleadblck1.jpg
Click to Enlarge

Nice. If you do ait long enough, a bizarre advert for Ye Olde Forex Trading slides into view regardless of whether you disable Adblock Plus or not:

dsbleadblck2.jpg

....yeah, avoid Forex sites like tha plague. Anyway, should you disable Adblock Plus you're dumped into an advert overload with popup warnings, donate buttons, strange spinny things and a bunch of Google ads rambling on about male escorts.

dsbleadblck3.jpg
Click to Enlarge

Yes, you too can enjoy the delights of Bollywood, Hollywood and, uh, Lollywood? Never heard of that one. As you might expect, the content is a long list of ripped movies that you can grab from various sources - or so they claim. What actually happens is you end up wading through lots of Linkbucks links, before being dumped on movie-themed adverts that want you to enter

a) every aspect of personal details or
b) download media themed "software" from pages written entirely in German.

Can't say either prospect really appeals to me...
More often than not, most DIY programs I see tend to be on the murkier side of "designed well". In fact, it's more like somebody threw up on their coding tools. However, sometimes a leet hax program comes along and despite the horrible things it does, you can't help but be impressed by the design and general stylistic trappings.

The creators will still burn in Hell, of course.

But ooooh - shiny. Blinky.

Anyway, here it is - the Phish Pharm:


phpharmz1.jpg

In case you're wondering, the fake Phish pages are in the Source Files Folder, and the two programs used are underneath. Let's take a trip to the pharm - sorry - first.

phpharmz2.jpg
Click to Enlarge

As you can see, it's a well designed package with a lot of options. A whole bunch of "target sites" are pre-made and ready to roll, from Twitter and Myspace to GMail and Steam - no messing around trying to create fake login pages here.

There's SQL support too:

phpharmz3.jpg

.....slick. The final option allows you to be notified via EMail every time someone falls for one of your Phish pages. However, you can skip that altogether in favour of a more elegant solution - the Monitor.

Fire up the second program, and it dumps itself into your System Tray. As and when stolen accounts appear in your logs, the program - which can be made to check at an interval of your choosing - pops up a message like this:

phpharmz5.jpg


 Click the message, and the Monitor program launches:

phpharmz4.jpg
Click to Enlarge

Type of Phish (in this case, a GMail phish), Username, Password and IP Address are all logged.

Did I mention this was slick? Depressingly so. Anyway, avoid phish pages, etc etc and yadda yadda.

Spambot Fail

| | Comments (0)
sbtfail.png

....whoops.

Hat-tip to Kevin Church for spotting the Bot!

4Shared: Morocco Mania

| | Comments (0)
It seems something strange happened overnight to 4Shared, popular file sharing website. Anybody going there would have been redirected to the following URL:

abcjardins.com/hacked

..where the following happy message was displayed for all to see.

4srdhc.jpg
Click to Enlarge

Charming. At time of writing, 4Shared no longer sends you to the above message and appears to be working fine. We'll do some digging and see if we can turn up any further information...

The IP Detector

| | Comments (0)
If a script kiddie can grab your IP address, they're one step closer to being a pain in your backside. More often than not they'll just use it to threaten you with empty promises of digital destruction; occasionally it'll be used for a bit of real world stalking via social engineering calls to your ISP, or pasting it into a DDoS program and watching the "fun" begin. It can also come in handy on the few "forgotten login" forms that sometimes request an IP address, but that's not a very common scenario.

Anyway, grabbing IP addresses. I noticed someone has come up with a clever way of doing it, and thought you might benefit from a big "avoid that site" warning. So here it is. The site to avoid is

reza24.com

and now we'll see why you should steer clear.

ipdtct1.png
Click to Enlarge

Above, you can see the "ip detector" website. The attacker creates a username and enters their EMail address - when they hit Submit, they'll see a custom made URL with your unique ID number bolted onto the end.

ipdtct2.png

You know what happens now, right? Yep, you guessed it. The attacker goes off, pimps their URL via IM, chatroom or forum and when the victim opens the URL (which is a fake "page is missing" message)...you have mail!

ipdtct3.png

Every time someone hits your link, you'll receive one of the above. You can probably guess the content...

ipdtct5.png

...whoops. You can see an example of how someone tried to grab IP addresses here, which is a forum thread discussing a page on Techdirt being owned by someone called Biohazard - who then went on to post this on the compromised page:

hacked_techdirt.jpg

Click to Enlarge

You can see what he did there...

Skiddy EULA

| | Comments (0)
I saw this on a phishing tool, and thought it was pretty entertaining. Some of the things people put onto hacking / phishing programs never fails to amaze me.

skidwarning.jpg

Thought I'd get this online asap, as Maplestory is a pretty popular MMORPG and this one seems to be doing the rounds so let's get down to business.

A number of leet hax forums are promoting a tool that looks like this:

maplemezosz1.jpg

As you've probably guessed, the above is sent to the victim with the promise of free stuff (in this case, up to 100 million mesos and 50k NX, which I suppose sounds very impressive).

Anyone unfortunate enough to enter their Username, Password and PIN is going to find themselves on a one way trip to Phishtown courtesy of an EMail sent in the background to the attacker. We're still trying to grab a copy of this program (wary of leeching, distribution is currently limited to direct requests from trusted members on certain forums) but some of the features are pretty interesting. Check this out:

*Vista manifest for highest permission available (asks for admin permission before starting)
*Edits the hostfile so the victim cannot go to any help sites/nexon mainsite
*Checks to see if the username & password is correct, via the official website.
*Comes with a builder.
*E-mail tester in builder

In addition, these are pretty clever things for a program like this to do:

* Encrypts your GMAIL E-Mail & Password.
*Auto kills ALL running Process explorer(s) before sending you the inputted info.
*Auto kills ALL running WireShark(s) before sending you the inputted info.

Auto killing Wireshark and process explorers? Can't say I've seen that done in a phisher like this before.

Avoid the above program like the plague...

Too Good To Be True? Yes

| | Comments (0)
As a follow up to this entry regarding fake Google job adverts, you might want to read this - you can see exactly what happens to anyone unfortunate enough to pay up.

"So I clicked on the ad, and it said Google, so I thought, 'that's safe enough, it's Google,'" victim Laurie Roerink said. For less than $4, Roerink was supposed to get a job kit. Instead she received a disk full of bogus materials for jobs that do not exist and a bill for $72 from company called Google Money Tree.

Steer clear of those ads!

Guns, lots of guns. Well, two., originally uploaded by Paperghost.

Next month - October 6th & 7th - I'll be at the Sector.ca Conference, talking about a subject close to my heart: how lots of rather naughty people are using consoles to both cheat the system and attack other users, via spam, DDoS and account theft. Is it abstract extract time?

I think it is.

Game Over, Man: Gamers Under Fire - Chris Boyd

An exploration of security issues relating to consoles and their risks to both home users and the business environment. This will include issues such as custom built DDoS tools, social engineering of Microsoft support staff, account theft, the risk to businesses and personal tips to keep your own details secure. I'll also examine the trade of stolen Xbox accounts in return for credit cards, how the rewards that companies give gamers make them targets because of inadequate privacy features and how free programs allow hackers to exploit profanity filters, paid content and even the profiles themselves.



As you may know, I've spent a lot of time digging around script kiddy forums. By and large, most of what I see isn't very impressive. However, for a while now there's been an interesting offshoot of hacking forums, with entire sections devoted to console hacks and attacks. There's an impressive amount of technical knowledge and skill going into the creation of hacking tools for consoles, hacking the console itself and doing all sorts of horrible things to the people that use them.

Some of the techniques used to turn an otherwise harmless lump of content restricted plastic - whose very soul is supposedly on the leash of the company who made it - into something you can spend all day annoying somebody with never fails to amaze me.

How many companies now have gaming / recreation rooms with a console just plugged in and left to its own devices? How many parents mistakenly think the worst thing that'll befall their kid is seeing someone get their head blown off on GTA4?

They're all accidents waiting to happen, and the general promotion of consoles as these "unhackable, unsinkable" battleships of gaming is something that needs to be examined in greater detail.

It's not just PCs under fire anymore...
We've written about a moneymaking tactic involving Government grants, "cash from Google" and fake news sites previously (more on this at the Wired Threat Level blog). Well, look what's finally appeared on Twitter:

gspmtwtr1.png
Click To Enlarge

"If you haven't heard yet, Google is hiring people online, information is at: tinyurl.com/workingwithgoogle ... Very Interesting!"

Google are hiring who on the what now?

Visit the redirection URL, and you're taken to

autotextsender.com/google/index.html

The fake news page is now a familiar sight, but the sheer bare-faced cheek of what they claim with this new effort is truly astonishing:


Breaking news: Google hiring Americans and Canadians to work from home

The billion dollar company has never opened it's doors to hire from the public before. Today they have openend their doors and will be hiring thousands of people to simply post links from the comfort of their homes.


"Hiring thousands of people"? It goes on:

Has the online titan now opened the doors for everyday people like you to work for them?...Google has now opened it's doors and will be hiring everyday people to work from the comfort of their own homes posting links. The way this works is Google will allow people to signup and receive a package which will contain all the step by step instructions to get setup from home.

There it is again - "hiring people". Want some more? How about some absolutely hilarious "quotes" from Google themselves?

The way this works is very simple, Google says.

First you will need to apply for their work from home kits. Google has release a limited amount of kits, all distributed through local websites in your area throughout US and Canada, which will cost $2 of shipping and handling to the public.

Google says this charge is made to cover shipping costs but also to separate the people that are serious about working with them through this program.

"We start off our work from home program only requiring 1-2 hours a day of work, earning a great income from the start. This way our work from home employees will see the benefit and start devoting more and more time each day and their salaries will increase accordingly" Google reports.


I'm pretty sure people who sign up as Google affiliates are not "employees" and don't get "salaries". I'm also pretty sure any "shipping costs" won't be going to Google.

All we need now is a fake quote from a fake Google "employee", right?

Mary, a mother from Toronto, who worked with Google in the experimental parts of this program, is thriving, in the middle of an economic recession, working in the comfort of her own home with Google.

....hahaha. If you go back to the original fake news site from a few months ago, Mary is mentioned there too - only in the context of someone using a "Google Home Income" kit, not as an employee on an "experimental program". Good to see she's moving up in the World though.

You know what the best part about all of this is? Should someone actually get all excited about this and click the link to start a new life working for Google, they end up on on a site similar to this Google Cash Club effort. What's at the bottom of the page?

gspmtwtr2.png

...oh dear.

Zango's New Moon

| | Comments (0)
Twilight.

Now that I've induced headaches and nosebleeds, let me walk you through a scam related to the upcoming New Moon movie, the second in a series of...oh, I don't know....let's roll with twelve. Twelve movies guaranteed to make you pull your hair out.

Anyway.

Youtube is filling up with lots of clips that look like this...

zangmoon2.jpg
Click to Enlarge

...and like the one below. There are some rude words, but it's important to note many of these scam vids are relying on the audience desire to see the two leads of the Twilight films bumping uglies.

zangmoon1.jpg
Click to Enlarge

...um.

So anyway, the viewer goes running off to the sites mentioned - one of which is a dubious looking Forex trading site, and I don't need to tell you that FOREX SCAMS ARE BAD - and the "install link", which is a redirect URL:

tiny.cc/kristenanal

....charming...and you arrive on a Zango install splash page, located at

boxoffice.powered-by.zango.com

which shows you lots of pictures of Iron Man, The Joker and some other random movie people in the background with Ye Olde Zango Installer in the middle of the screen. At this point, I should mention Zango have altered their "Cancel Install" button, which famously made no sense whatsoever:

bc1.jpg


"Click OK to Cancel or Click "Cancel" to continue the installation".

Well, here's the new version. It also makes no sense whatsoever, though it isn't quite as brain melting as the first.

zangmoon4.jpg

"To quit and not install, click OK. To continue installing Zango and cancel this notice, click Cancel".

Awesome.

Should you install Zango, you won't get any free movie. You won't see the red hot boinky-boinky action you were promised.

What you will see, is this website promising to "burn your boredom":

zangmoon6.png
Click to Enlarge

Amazingly - or not - New Moon is nowhere to be seen, and all of the "movies to watch" resolve to a URL that looks like this:

http:///#

As you might have guessed, you won't be watching any free movies anytime soon. The site above is Blemax.com, feel free to add it to your blocklists.

Oh, and don't be writing angry Twilight fan letters shouting at me because I said there'd be twelve films and how I'm slamming it without knowing the subject matter at hand. As everybody knows, there are four books, there will be four films, and they will all be terrible.

....I'm doing it again, aren't I?
Remember this spamming program? It seems someone decided they really needed MORE SPAM EVERYWHERE. With that in mind, a modified version of that application now lets you send infinite spam messages to up to four people at once.

spmz10101.jpg
Click to Enlarge

I've heard somebody devided to go one better, and there's now a tool that spams five lucky individuals. Wonder when we'll hit double figures...

I've steered one person away from indulging in the below craziness, and I thought it might be worth mentioning. If you're looking for P2P programs, take note of the following screenshot:

mulee1.png

The program on the right is a version of eMule downloaded directly from the official website. After installing it, you'll see...well....eMule:

mulee5.png
Click to Enlarge

The program on the left is - so they claim - the same version as the one above. However, trying to install it will present you with this a little way into the install:

mulee2.jpg
Click to Enlarge

Yes, you need to send two SMS messages at a cost of 3.00 GBP to obtain an "installation code" that lets you continue with the install. Whether this works, I have no idea. It goes without saying that you should avoid the SMS nonsense and go directly to the official website.

There's quite a few of these around for numerous P2P programs:

mulee3.png
Click to Enlarge

mulee4.jpg
Click to Enlarge

It's easy enough to spot the websites pushing these "pay to install" versions, as they all look very similar and cookie-cutterish:

mulee6.jpg
Click to Enlarge

mulee8.jpg
Click to Enlarge

mulee7.jpg
Click to Enlarge

mulee9.jpg
Click to Enlarge

It's about the first time I've been thankful for hideous websites....

About this Archive

This page is an archive of entries from September 2009 listed from newest to oldest.

August 2009 is the previous archive.

October 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.