Christopher Boyd: April 2009 Archives

It seems an endless wave of chain letter messages are starting to annoy people.

You'd think it would be pretty easy for Microsoft to block communications with "900" in them, but apparently not...
ffkr.jpg

....and so charmingly named, too. Facebook Freezers: the best reason ever for keeping your login EMail address a secret.
If you use Facebook, Myspace or any other Social Networking site you'll no doubt be familiar with messages like this and this. typically, they all involve sending them to an endless stream of participants, lest you suffer bad luck in the form of being hacked, losing your job, dying horribly or being stalked by vengeful ghosts for the rest of eternity.

Of course, it's all nonsense.

Well, illustrating that you're not safe from these kind of chain letters regardless of which digital domain you happen to use, here we have multiple instances of chain letters making their way to the XBox Live gaming network.

Over the past few days, large amounts of people are reporting being sent messages from both friends and complete strangers over the XBox Live messaging system that contains nothing other than this:

ms9001.JPG

...enigmatic, isn't it?

However, it's not too hard to figure out. The symbol under the 900 is the symbol Microsoft uses for Microsoft points, which can be used to buy downloadable games / movies and music for the Zune player. Some wonderful individual has decided to spread word that if you keep sending the above message to people over XBox Live, then your account will be credited with 900 Microsoft points.

As you can imagine, there's more chance of winning the lottery ten times in a row without actually ever playing.

I look forward to being sent messages about viagra pills and rolex watches via XBox Live in the near future...


There's a site doing the rounds that promises "two years free" for a popular Counter Strike Mod:

csmod1.jpg
Click to Enlarge

Of course, they want you to enter your Steam login details to access the game.

the link to avoid is

conterstrike15.fr.gd

There's been a rash of spam zinging around on Twitter, all of which is directing users to

SmartEcard.com

You can see more about that here, on the Sophos blog. The spammer tactics seem to be changing a little bit, perhaps so they can avoid detection for a little while longer. We're starting to see profiles that don't send out spam links via messages, but instead place the spam URLs in the profile description instead.

Here's a sample, you'll probably spot the rather odd pattern in the URLs follow:

scard2.png

twishmake.com
twiles.com
twantastic.com

Um, yeah. A little bizarre, I'm sure you'll agree. All of the above domains look identical to the SmartECard domain, there's probably more out there too:

scard1.png
Click to Enlarge

As with warnings of the original domain, if you've entered any login details at the above sites, go and change them immediately just to be on the safe side. Interestingly, all the profiles I've seen related to this scam are blank placeholders with no photo or information added to the fake profiles. However, there IS one where they've made a basic attempt to look like a real person:

scard3.png
Click to Enlarge

Don't be fooled - the above profile is as fake as the rest of them. While you're probably sick to death of being told to watch what you click on Twitter right now, it's about the best advice anyone can give.

Mikeyy Gets Owned

| | Comments (0)
It seems someone took a dislike to the kid recently revealed to be the source of multiple woes on Twitter.

A hacking group have taken him to the cleaners and then some. More here, and also here.

Dial-A-Hack

| | Comments (0)
Here's an enterprising attempt at making some cash from utterly useless hacking programs that don't work.

First, they've created a Youtube account and (naturally enough) stuffed it full of impressive looking videos. Hack this, hack that, hack everything. How could you possibly refuse?

dialahack1.jpg
Click to Enlarge

Visit the website offering the programs, and things deviate a little from the usual "download infected file from Rapidshare / destroy own PC through greed" template I've come to expect.

Hit one of the download links such as the one below...

dialahack2.jpg

....and you'll see this appear.

mmh1.jpg

Can you guess what's coming next?

mmh2.jpg
That's right, select your country, enter the code and start racking up a huge phone bill....just to get your hands on vaporware hack programs.

I'll leave you with some comments from their (not so) satisfied customers...

dialahack5.jpg

The below site:

itunes-multiplier.webs.com

should be avoided, as it's nothing more than a cheap con trick. The gag works like this - you go out and buy an iTunes card (which use codes that are redeemed inside iTunes to credit your account).

Then you see the above website promising it can double your points and start to feel a little greedy. Here is the "multiplier":

winmill1.png
Click to Enlarge

Yes, you too can enter your own code and send it to a stranger, safe in the knowledge that in a few minutes they'll have registered your code to their account. Still, buying music for scammers is very philanthropic. I guess.

I particularly enjoy the lame technobabble that scam sites such as this employ; this one is better than most, for comedy if nothing else.

"Here at our site, we work with some of the best names in computer debuggers and specialists to make things like this possible.  Over many months of research, our programmers have determined a way to multiply iTunes card's value.  What happens is:

Once you enter your iTunes cards information into our Multiplier, it is sent to our servers where our team runs it with a private program called WINMILL.  This program sends the information as a link directly to Apple Inc., who credits the card with extra uses."


...WINMILL?

I guess we know what the scammer sees when he opens his curtains each morning...



Asobi Seksu are one of my favourite bands of recent years, and while trying to work out where to buy an acoustic album they released not so long ago, I happened to come across a website called

music-megaupload.com

They're clearly riding on the back of the name of the legit file download site Megaupload. More importantly, they claim to be offering up a full version of one of their albums:

asobi1.jpg
Click to Enlarge

As you've probably guessed, that is NOT anything remotely resembling an album - rather, it's an executable file pretending to be an album.

Oh, the blasphemy.

Anyway, once the file is on the PC, you can't help but notice...well....take a look for yourself:

asobi2.jpg

Does that icon look like an Oscar? Why yes, it does...a little strange, don't you think?

Run the file, and you'll see an installer prompt for one of those not-so-wonderful fake media codecs:

asobi3.jpg
Click to Enlarge

Continue with the installation process, and you'll find your browsers aren't working. That's because this is a variant of the DNS Changer trojans that enjoy breaking your internet, usually while downloading fake backgrounds warning of dire infections that only rogue removal tools can fix. Here's your tampered-with DNS settings:

asobi4.jpg

Lovely.

The executable is served up from

implugins.net

which has been around since March 2009, with an EMail address associated with numerous malicious domains. Coverage is rather poor for this file at present, here's the Virustotal results:

asobi6.jpg

As you can see, only 5 out of 40 scanners pick it up at the moment.

In conclusion, then, we have

1) A fake weblog trading off the Megaupload domain name
2) Endless fake MP3 and albums served up from a second domain, which are actually DNS changer trojans disguised as media codecs. This is itself an interesting tactic, as usually fake media codecs are served up in exchange for what the user thinks are movies, not music.

If you really want to grab some Asobi Seksu music for free, I'd suggest doing it the legit way - visit their official media page.

You definitely don't want the Oscar remix edition...
nolongeravphe1.gif

Yesterday, I wrote about an IM password stealer available to download from sites such as ZDNET / cnet.download.com. Well, it now appears to have been flushed from all related websites.

Thanks to the Download team for their quick response - they've shown a commitment to removing rogue elements from their download sections in the past, and incidents such as this seem to be few and far between.
Generally, download sites do a good job of keeping potentially undesirable programs off their network. You might see the oddly titled "family keylogger" program and wonder about the ethics of such a utility, but leaving those rather dubious grey areas aside, mostly things take care of themselves.

However, while browsing the cnet.download.com site today, I happened to find something rather peculiar in their "Network Monitoring Tools". Namely, this:

apheve101.jpg
Click to Enlarge

As soon as I saw the creator description of the program, I knew something wasn't quite right:

"Apheve is a great piece of software that has the ability to disguise itself as multiple IM programs including MSN, Skype, and BT Yahoo.This is perfect if a visitor is coming round who wants to access their IM account."


Wait, it "disguises" itself as multiple IM programs? And its name sounds like a bizarre slang version of the word "thieve" (A Pheve)?

Oh dear.

As you might expect, the program is available to download on numerous sites, including CNet Asia and ZDNet UK. Up for grabs since May 2008, the number of downloads is somewhat alarming:

18,214 download.cnet.com


9186 CNET Asia

455 ZDNET.co.uk

Not including other sites related to the above URLs, that means there's a grand total of at least 27,855 people (possibly) running round trying to steal your IM logins. (Check out the comments for more thoughts on what all those people may....or may not....be using the program for).

Did I say steal? Yes, I did. Presenting.... "Apheve":


aphevez0.PNG

Quite simply, you select the IM client of your choice - MSN Messenger, Yahoo IM or Skype - and hit the "Start!" button. Then you retreat to a safe distance and let your victim use the PC. As we've seen before, these kinds of programs work great for scammers in net cafes, libraries and schools / universities.

The victim will see one of these:

aphevemsn.PNG
Click to Enlarge

apheveyahoo.PNG
Click to Enlarge

Of course, both of those IM boxes are entirely fake. Should you enter your login details, you'll be shown an error message and wander away from the computer feeling vaguely annoyed. Meanwhile, the attacker jumps onto the same computer and clicks on the apparently harmless looking fake icon in the Taskbar - in this case, a picture of a DVD / CD:

fakeaphevetooltip.PNG

....and is presented with your login information, courtesy of a nifty popup box:

apheveskype2.PNG
Click to Enlarge

Is it just me, or does that go a little beyond the scope of "Monitoring Software"?

The program has absolutely no reason to exist other than harvesting login credentials.

Even the choice of targets seems designed to cause as much trouble as possible - Skype accounts will probably have unused call credit stored against them, Windows Live accounts may well be linked to EMail as well as IM, potentially giving access to yet more personal information, logins etc.

Any claim by the creator that this is intended for "network security" is fairly blown out of the water when we check out his Youtube channel, only to find...

apheve4.jpg
Click to Enlarge

...he's promoting it with the title "How to hack Msn, Skype or Yahoo with Apheve 1.1", with "Apheve pro - The ultimate hacking tool" in the description.


The only good thing here is that due to the program being around for a while, the fake versions of Skype, Windows Live Messenger etc look rather outdated and not very much like the real, current versions. The DVD / CD icon in the corner could also be a giveaway, though of course you can change that if you really want to.

We've EMailed the Downloads team, and will post again when we hear back from them.


Given the rather single-minded purpose of this application, I'm a little surprised it managed to squeeze through the cracks. The above download sites may well be "Tested Spyware Free", but they're currently not "Tested Horrible IM Stealing Piece of Junk Free".

Hopefully that might change shortly...

I've written about Freezers before - in short, programs designed to repeatedly spam the login for various sites & services with the victims EMail address and randomly generated passwords, until the account is locked out.

These Freezers take many forms, and have numerous features including built in browsers, progress bars and the ability to endlessly spam the target account until the PC melts or the account is permabanned, whichever comes first.

Well, here's another one, and it looks considerably better than the first (and that was no slouch in the looks department to begin with). As you can see, this one targets both Messenger Live and Facebook (alternating between the two with a nicely done set of tabs).

fcbkfrzr2.gif
Click to Enlarge

The "Freeze" and "Skip Freezing" buttons are very chunky (it's all very 2.0, isn't it) and there are options for "help", "support" and an "about" panel too. Although the Windows Live Freezer didn't appear to function correctly, the Facebook Freezer caused the same problems as the program I wrote about a few weeks ago. Fire it up, walk away, leave it running for a few hours and when you return, the account will have been disabled - leaving the account owner with the prospect of trying to reactivate it, or skip the hassle and start from scratch.

fcbkfrzr1.gif
Click to Enlarge

As before, the best (and only) advice you can really give where these tools are concerned is to avoid handing out your EMail address used for various social networking sites to strangers. If the site you use insists on showing your address to visitors, look for the option to hide it.

SkypeSkraping

| | Comments (0)
My good pals at the Secure Science Corporation have recently been taking a long, hard look at Skype.

Good thing too, because this is what they came up with.

As a side note, you should definitely consider subscribing to their blog which makes a welcome return.

Virus Storage....

| | Comments (0)
There's a site currently online that was apparently hacked not so long ago:

tchbh1.jpg

Click to Enlarge

In case you're wondering, the thing in the middle is an infection file pretending to be a .jpeg.

Well, if you go to a certain directory of the site now, you'll see this:

tchbh2.jpg
Yep, people are using the webspace to upload infection files for downloads & Botnet / IM related spreading. From the looks of it, the site in question is being advertised on numerous forums for communal file storage. The hosts have been notified.

Stop: Spammer Time

| | Comments (0)
Awful title gag aside, it seems someone is having a little fun in MSN Messenger land.

They've gone out and phished a number of accounts, then added all the people on their contact lists into one single file available to download.

msnhrsz1.jpg

Why? So you can add all 976 of them to your contact list then start spamming / harassing them.

msnhrsz2.jpg

Of course, the "MSN harassment list" has one fatal flaw - you don't HAVE to accept that random friend request that just popped up on your desktop.

So don't :)
Yet another cookie cutter movie site that gives you little or nothing in return for installing Adware? Yes please!

Much as I'd love to show you the part where it all goes horribly wrong, let's set the scene.

First, you need to throw together a website about an upcoming movie. How about.....



dragonballevolution.info

Yeah, that'll do it.

Obviously, you need to put the site up for sale as quick as you can.

dbzmvz2.jpg
Click to Enlarge

Let's make it perfectly obvious that the only reason the site exists is to trade off Adware in exchange for ripped movies:

"It also does have a streaming site (watch.dragonballevolution.info) which have the full movie streaming online (movie hosted on others video sharing host).

Most of the site income came from its streaming site which I have installed zango. It does pretty well with zango( look at the pageview per install ration on attachment).

Dragonball evolution the movie will be released in the United States this April 10, 2009. So make this the deal fast before someone else does!"


...but let's throw up a ludicrous "disclaimer" anyway:

dbzmvz3.jpg


Of course, you need to install Zango to watch the film:

dbzmvz4.jpg

Click to Enlarge

Setting aside the age problem - you need to be 18+ to install Zango, and how many people over 18 are seriously going to go looking for the Dragonball Evolution movie? - there's also the problem of it going horribly wrong.

Did I say horribly wrong?

dbzmvz5.jpg


...whoops, I guess I did.

Enjoy your "film", kids.

Formula One Phishing

| | Comments (0)
The racing season might well be underway, but it's a good idea to be careful where your logins are concerned.

The following domain:

tema-ferrari.tk

temafer1.jpg
Click to Enlarge

Is trying to entice users of popular Social networking site Orkut to login to their accounts - or, to be mre accurate, is trying to entice fans of Ferrari cars to login to their Orkut accounts. You can't really miss the huge Ferrari logo in the middle - the earliest google cache of the site is a few days before the first race in Melbourne, around the 24rd of March. Odd coincidence, that.

In case you're wondering, the text (in Portuguese) roughly translates as follows:

"Connect with friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures, and passions all in one place"

I'm going to go out on a limb here and guess the phisher won't even get a speeding ticket...


Paul Clark, Labour MP for Gillingham and Rainham, and Under-Secretary of State at the Department of Transport has apparently upset somebody, as this shot of his

Labourisworking.com

website would suggest. No idea who "Red Virus" is, but he / she left an EMail address so maybe they're available for comment(!) Interestingly, they claim their message is "From Egypt", yet the EMail address given is obviously Chinese.

Ooh, political...
1mkmsn.jpg
Click to Enlarge

While looking into a set of hacking tools recently, I came across a set of screenshots pasted into the creator's image gallery. They're a series of pictures detailing the various steps involved in the process of creating a fake MSN Live application.

We've removed quite a few duplicates (and blanked one or two things out) but if you want to experience the rather surreal sensation of watching someone create a data theft tool, click here to view the gallery.

It's yet another "login here to send all your contacts endless amounts of spam" website. This one is called

meetyourims.com

...and looks like all the other ones.

meeturim1.jpg
Click to Enlarge

Created on the 3rd of April 2009, there's also a curious addition to their (always changing) Terms & Conditions:

"You also understand that by temporarily accessing your msn account, CSS Management Inc. is NOT agreeing to MSN's terms of use and therefore not bound by them."


Comical...
If you (or a family member) play Runescape, you might want to keep an eye out for this one.

A number of people are telling players on their friends list that the creators of the game (Jagex) are running a week long competition, where the selected participants change their password to

jagexevent

in order to get their hands on lots of free goodies.

If the person told about this event is suspicious, then the attacker will send them the following doctored screenshot as "proof", made to look like an official post by a Jagex Community Manager:

jagexevent4.jpg
Click to Enlarge

Of course, once you change your password to Jagexevent, you're not going to get anything other than the chance to wave goodbye to your account as it falls under new ownership.
There are emails in circulation directing end-users to the following web site:

moxieusa.com/includes/PEAR/Thanks.htm

It's a Paypal phish with an added "bonus" - when you visit the page from the mail, you're presented with the following message:

"You Have Successfully Confirmed your account information.

The New Anti Fraud System has been successfully added to your PayPal account."


Entirely false, of course - nothing has been added. There's also a short ramble about additional security features:

ppafsz1.jpg
Click to Enlarge

Click the continue button, and you're taken to the inevitable phish page.

Avoid...
Remember those sites that want you to install Zango in return for ripped movies?

Sure you do.

Well, I've just seen the inevitable happen - it was only a matter of time before Zango affiliates latched onto Twitter as a means of promoting their installers. Here's a sample shot of a Twitter profile that's been firing out Zango related links since March 17th:

ztwts1.jpg
Click to Enlarge

Depending on which link you click (and there's quite a lot of them), you'll end up seeing something like this:

ztwts2.jpg
Click to Enlarge

Of course, you'll only see any content on the site if you agree to the Zango install.

The site in question here is

newtvstream.com

I'd imagine there are plenty more Zango affiliates firing out links on Twitter, so if you see people advertising "free movies" or TV shows, there's a good bet you'll be taken to a Zango installer prompt...

About this Archive

This page is a archive of recent entries written by Christopher Boyd in April 2009.

Christopher Boyd: March 2009 is the previous archive.

Christopher Boyd: May 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.