Christopher Boyd: July 2009 Archives

...."choosen"? Oh, this is going to be one of those scam attempts, isn't it?

Stepping up to the plate of fail this time round is

sonybetacommunity.tk

A site that claims to be a "Sony Beta Center", where you can gain special access to upcoming titles such as these....

sonybetacommunity.jpg
Click to Enlarge

Quite why the background to a supposed Sony website is some sort of Elf thing from World of Warcraft, I couldn't tell you. Also of note is the wonderfully fictitious "Grand Theft Auto: Boston".

Yeah, right.

Anyway, at this point it normally decends into a phishing farce. Not this time, however:

sonybetacommunity2.jpg
Click to Enlarge

"1st. Sign up to the website below. Use the link below.
2nd. You need to have one offer confirm.
3rd. You need more than 1 cent, not including the $1 dollar bonus in your July earnings.
4th. You must do the offer for us to send you the a beta code.
Please read everything below!"


and

"Note: If you don't seethe daily jokes offer you can do Arcamax Recipes, or Health Newsletter. Make sure your pending earnings go into July earnings. If you don't do the offer, then it want confirm and you will just be mad at Sony when you don't get a beta code."

Health newsletters? Arcamax recipes? What?

As it turns out, the whole "game beta" thing is nothing to do with phishing at all - rather, they just want you to sign up to about a billion different Cashcrate offers, and if you do, then you'll really really really REALLY be sent Beta keys to your PSN account. Honest.

"When your offer confirms on the site (Meaning your pending earnings has went into your July earnings), go to your message center and reply to the message.

Include your PSN ID name and the 3 betas you want. Example = PS3GAMING500 -PSN ID

Once you reply to the message in the message center, we will check to see if the offer is in your July Earnings. If so, we will send your beta code to the message center on Cashcrate and your PSN ID."


I think I'm going to have to call shenanigans on this one, even if they do have a really official looking Youtube channel...
Fake Retweets aren't particularly new, but you might not have seen them before. In a nutshell, there is nothing stopping you on Twitter from placing "RT" at the start of a message then putting in whatever user you feel like after it. For example, if someone wanted to make it look like I was on a drunken insult rampage:

paperstinky1.gif

Of course, I never said that - and for a follower of mine to see this message, they'd have to be actively looking for "@paperghost" messages in the search feature so the chances of being horribly offended are slight. However, we can step it up a notch (with the permission of Rik Ferguson who agreed to let me use him for this next bout of fakery):

stinkyghost2.gif

...whoops. If I'm not someone who bothers to check the authenticity of a Twitter message, then I'm now chasing Rik Ferguson with a baseball bat under the misguided notion that he's smacktalking my mother (actually, he's taller than me so I'll probably just settle for pulling angry faces at the screen).

With that in mind, I saw this pop up in my Twitter feed earlier today:

fakeghostrt1.gif

...as you probably guessed, I didn't say that. Neither did any of these people:

fakertsspamz.gif
Click to Enlarge

What's the idea? Well, take a look at the links in the above screenshot. The profile is designed to lure Twitter users in with fake retweets (either the person being "retweeted" themselves, or users who follow mentions of that individual and are curious what they're supposedly talking about) and then hope they click one of the many spam / promotion links.

The fake retweets are quite crude, but with a little tweaking they could perhaps make the fake retweets more controversial or include a URL link with the fake message which would probably increase the clickthrough rate.

Remember - if something looks a little odd about a message sent out on Twitter from a contact, check with them that it's the real deal first...

"Achievements are really just slaps on the back with an assigned point value; the amount of points isn't truly what's important, but it's nice to see." - Ten Achievement Commandments

When Microsoft released their XBox360, they came up with the idea of "Achievements" - unlockable badges that display your prowess in a game. Kill 50 bad guys? Achievement! Run through six levels without dying once and throw the final boss off a cliff with your eyes closed? Achievement! Press the start button? Achievement! (No, seriously).

Some would say it all went horribly wrong when Microsoft decided that achievements should come with "Gamerscore points". These entirely useless numbers assigned to achievements traditionally give little else other than bragging rights and....um....that's it.

However, an unforeseen consequence of gamerscore points is this:

1) Accounts with high gamerscores (generally anything over 30,000GS) become valuable targets for hackers & phishers - a high score generally means lots of valuable ingame items / bonuses are associated with the account such as Level 50 Halo 3 characters, unlocked rare items & skills, high ranking Call of Duty multiplayer characters etc. You can then sell or trade these accounts for other accounts, credit cards or anything else you feel like. Here's an example of someone getting ready to sell a tampered account with a Gamerscore that weighs in over 130,000k:


2) It's incredibly easy to find people with high gamerscores and make them a target - you simply need to browse the official XBox forums and see who has what, or jump over to a site such as Mygamercard or similar sites where it's the easiest thing in the world to line up your bullseye painted victims. If gamerscores didn't exist, it'd be a lot more time consuming to dig out profiles that had a large amount of achievements attached to them because there would be no obvious signifier that the account was worth pursuing.

3) This also means that any method of artificially inflating your gamerscore means a fast track to selling (what appears to be) a high scoring profile. There has been dabbling in this area for some time (here's an article from 2006 where the first shots are being fired by Microsoft in response to cheating; here's another from 2008) and programs used for this cheating have been (for the most part) kept close to the chest of those using them.

One reason for this is that the programs that actually work cost a lot of money - there's one program that can go for anything from $150 to $200 in the right circles.

However, that's all changed in the last month or so as one of the most well known programs (that apparently sells for around $50) has been cracked and made available to all and sundry, for free. It's no coincidence that Youtube is suddenly awash with videos offering Gamerscore tampering services and that EBay sellers are popping up with auctions like these:

Gamerscore hacking on EBay, originally uploaded by Paperghost.


Want to see some of the auction details? Of course you do.
Gamerscore hacking auctions, originally uploaded by Paperghost.



Full aftersale support, originally uploaded by Paperghost.

"Why pay someone else to do it when you can do it yourself and when you have these programs you can sell 40,0000+ gamertags on ebay and make ????????"

...oh dear. We'll be paying the above EBay seller a visit a little later on, so keep "Da1truehomie" in mind.

The program currently being thrown all over the place on underground sites (and poorly worded EBay auctions) would be this one:


XBox Profile Editing Progam, originally uploaded by Paperghost.


Editing the gamerscore & achievements is simply a case of hooking the XBox up to the PC (with a transfer cable you can obtain free from Microsoft...whoops) then tampering with the data using the required programs.

Once you go looking on sites away from the underground such as Youtube & other video sites, it's clear that this problem is now going mainstream. Is there anything Microsoft can do to stop this? Who knows, but people determined to alter their profile details should know the following:

1) Microsoft are very good at spotting tampered profiles, and swinging the appropriate banhammer. You might get away with it for a while, but eventually it's going to go horribly wrong. Remember EBay seller "Da1truehomie"? Here is his XBox profile, note the message at the bottom:

Caught! Can I get a witness?, originally uploaded by Paperghost.


He can expect to have his score reset and be hit with a possible ban. On reflection, perhaps having the same username for both his XBox and EBay accounts wasn't a smart idea.

2) The program that so many people are sending around went a bit bonkers when it was cracked and made available for everyone to download. Namely, it doesn't unlock the achievements correctly, labels online specific achievements as having been unlocked offline and various other things that fairly scream "shenanigans".

I still say Microsoft should remove Gamerscores altogether, however. For the tiny amount of worth they bring (not much), it's greatly outweighed by the desire of scammers to both obtain it by phishing and inflate it by hacking. Stolen XBox profiles are now big business, and you can typically expect to pick up an account with a credit card attached to it for as little as $4.

The act of Gamerscore tampering also pretty much makes legitimate gamerscores even more worthless than they are now - spent three years building up your total via hours of gameplay? Too bad, that large collection of guys over there unlocked six billion points in a week. It also presumably makes it much more difficult for game developers to keep track of statistics such as these (stats which many companies often use to tweak difficulty settings in future releases), so everybody loses out.

Bragging rights - who'd have thought they'd cause so much trouble?


There's a Windows Live ID phish doing the rounds at the moment, aimed at XBox gamers and their overwhelming desire to obtain FREE STUFF. Namely, XBox Live points. Here's the site, which is located at mspsite.t35.com:



Free Microsoft Points Scam, originally uploaded by Paperghost.

It contains the usual nonsense designed to make the victim sit around doing nothing while the phisher changes their login information:

"This website uses an exploit found on the xbox live website. Using this exploit correctly means you can edit your amount of microsoft points on your account. As the flaw is on the Singapore websites, People living outside of singapore may need to wait up to 24 hours for there points..."

Once you enter the info, your account is as good as gone along with anything you have attached to it. If you think people don't fall for things like this, here's the proof:

mspointzgenz102.jpg
Click to Enlarge

Chalk up one victim to the above site. There's bound to be more...



codmw4hacked.jpg

I expect we'll see more of these pop up as the release date of a game that COMES WITH NIGHT VISION GOGGLES - sorry, got a little excited there - draws closer. With that in mind, I'll be rounding up some of the phish attempts & other scams related to this game and posting them up on the blog.

I thought I'd kick things off with the most prominent one doing the rounds, which would be

codmw2beta.tk

which unfortunately is the highest search result for "Modern Warfare 2 beta" in Youtube:


Modern Warfare 2 Beta Phish, originally uploaded by Paperghost.

The fake video doesn't need to say much to pull in victims...

mwarfare2b2.jpg

...because there will be any number of people throwing themselves at this one due to the hype.

Fortunately, the site in question is up and down at the moment; no doubt the hosts are shutting them down and killing off the fake sites. However, as it's a .tk redirection domain they can keep on moving until the .tk URL itself is whacked. Interestingly, people here claim the link was "logging keys" not so long ago, and someone else mentions doing pointless surveys; clearly, the domain is being used for all kinds of dubious practices, none of which will give you the all important Beta access.

I'd insert a witty closing line about keeping your guns loaded at this point, but I can't think of one. Just avoid phishing / scam / infection / survey sites instead and I'll skip the corny jokes. Sounds like a good deal to me...

If you play RuneScape and you're itching to change your stats, you might want to think twice - especially if you're offered a program that looks like this:



Fake RuneScape Program, originally uploaded by Paperghost.

As you've probably guessed, it's 100% fake and designed to be bound to the trojan / rootkit / horrible program of choice by the attacker. Enter your Username and Password, and you can kiss them goodbye. One of the prettier fake RuneScape programs out there...
There's a link currently being spammed around Youtube that goes a little something like this:

meganfox1.jpg

Head over to megantape.com, and you're greeted with an obviously fake "movie" image that's actually just been lifted from an FHM shoot (you can see the logo if you "view image location").

megan22.jpg
Click to Enlarge

Press play, and...

megan3.jpg

....well, I'm shocked. Fancy having to "complete a survey" in order to view the supposed movie. I love the reasoning given for hitting you with this popup - "video hosting is expensive".

That must be one extremely long movie.

Depending on your region, you'll be taken to all manner of surveys, quizzes and questionaires. I didn't bother to fill any of them in, but something tells me if a celebrity sex tape was suddenly in circulation, there'd be quite a few more places talking about it than one oddball site asking you questions about UGG boots.

Couldn't you just go and watch that Transformers film instead?
I'm amazed by this - my good friend LoLo (who was writing about & shutting down Myspace scams when I was knee high to a grasshoper or something) has been sent a frankly ludicrous scaremail by EBay / Paypal, in relation to a screenshot of a phishing mail in a phish dissection post.

Seriously.

Dear ISPrime, Inc.,

We have just learned that your service is being used to violate PayPal trademarks and/or copyrights. Specifically, it appears that an ISPrime, Inc. user is hosting a page at 64.111.214.22 - http://www.ghettowebmaster.com/images/paypal-phishing-email.gif which uses our trademarks inappropriately.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of PayPal trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal an eBay, Inc. company, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

It gets better - or should that be worse:

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay/PayPal Inc.
Audit and Investigations
securityalerts@ebay.com

Jaw dropping. Did the person who initiated this fiasco not bother to check the original post? Because if you're going to dissect a phishing mail while warning people about it, it tends to help if you put a screenshot or two up. However, rather than go after the phisher, they tried to swing the banhammer at the good guy. Generally, you'd think people who are doing your brand a favour by alerting the general public to scams regarding your website are NOT the people you should be aggravating, because good will and a general desire to help quickly evaporates when faced with stupidity such as this.

If you run a security blog and happen to get one of these wonderful missives sent to your ISP (or even better, through the post) then please, let us know. As for EBay / Paypal - taking ten seconds to digest the content of a blog post works wonders...

Since the Neopets story has had coverage on Fox news, I've noticed something a little bizarre - a lot of people on various Neopets forums and websites seem to be attributing the issues talked about in the story to an entirely unrelated exploit that's doing the rounds on the Neopets site, then dismissing it altogether.

For example:

cookigrbneo1.jpg

and

cookigrbneo2.jpg

and

cookigrbneo4.gif

Alongside lots of comments similar to the above, there's quite a few blog posts out there that do handily talk about this "cookie grabbing" issue they seem to have (that's good), but they also attribute what's being talked about in the Fox piece to cookie grabbing (that's bad).

cookigrbneo3.jpg
Click to Enlarge

That would have been quite the achievement by myself, as I only heard about this Neopets cookie grabbing for the first time a few hours ago! So, just to confirm 100% - the issue talked about in the Fox piece is absolutely NOTHING TO DO with cookie grabbing. While there might be some horrible issue currently rampaging around Neopets that's all about scripting, stealing and cookies this never was, and never will be, about said problem.

I'm not entirely sure how so many people made the leap from "sending private messages, installing Malware then scraping information from the infected PC" to "somehow hackers are stealing credit card details directly from the Neopets site, this must be about cookie grabbers, but cookie grabbers can't do that anyway so the whole thing is nonsense" but there you go.

His Name Is Robert Paulson, originally uploaded by Paperghost.


....and he wants your World of Warcraft account.

fakemszsitez1.gif
Click to Enlarge

We're seeing quite a lot of fake websites at the moment that claim to offer "free" Microsoft points in return for you logging in with your account details. You know the drill. It's unusual to see so many appear in a short space of time, so one would guess there's a bit of a group effort taking place here. Here's a list of some of the sites we've seen so far, we'll keep updating as we get them:

freemicrosoftpoint5.blackapplehost.com/signin.php
cbeezy09.blackapplehost.com
mspgiveaway.blackapplehost.com
dakhaoskiller.t35.com
undergroundpoints.t35.com
mspoints4nout.t35.com
freexblmsp.weebly.com/index.html
star3461.webs.com/mspoints.htm
mdc2u.net/Xbox/
freewebs.com/free1600micros2/form.htm
h1.ripway.com/microsoftpointsnow/
h1.ripway.com/liamh/test.php
h1.ripway.com/live4free/login.html
loginlivebbtxt.t35.com/login.2rboombang/login.srf.htm
4000-msp.blackapplehost.com

In all cases, someone "found an exploit", or "came up with a script", or "created a program" - my favourite so far is this one:

fakez101.gif

....yes. Yes they did.

Anyway, avoid all of the above.

About this Archive

This page is a archive of recent entries written by Christopher Boyd in July 2009.

Christopher Boyd: June 2009 is the previous archive.

Christopher Boyd: August 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.