It's not so long ago that I'd wonder what I did without my instant messaging client just to get through my working day. Not, you understand because I needed my latest fix of emoticon laden gossip with far flung friends, rather so that I could use Windows Live, Microsoft OCS, Lotus Sametime, Skype (yes I'm a serial IM'er) to get answers I needed from people who were online, rather than abandoning my question in a voicemail black hole.

 

My must have applications of choice now?  Twitter, Facebook and LinkedIn for starters.   And it appears I'm not the only one to join the social revolution.  FaceTime's June survey on social networking had over 87% of 1199 respondents using social networks, with 39% using a social network every day.  

 

Now most of the folks I social network with are work related.  And my communications are during the working day.  And they respond in kind.  (So.. there's a Sherlock Holmes style deduction going on here) It's elementary, my dear Watson, that they must therefore be using social networks in the workplace.

 

And our survey agrees with that.  With a whopping 85% of respondents believing that their users are utilizing social networks from the corporate network.  We'd been somewhat surprised earlier this week, when Chris Boyd, our Director of Research uncovered a keylogger on the kids popular social networking site Neopets.  (Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia.)  

 

Chris found hackers targeting 12 year olds - and probably their more affluent parents.

 

Interestingly, sites such as Neopets are accessed in corporate environments too - FaceTime collects live traffic data from commercially deployed Unified Security Gateway appliances at more than 80 mid to large enterprises worldwide that have opted into this program, representing the daily Web-based activities of more than 100,000 corporate workers.

 

During the past week, these corporate workers have accessed 99 different virtual worlds from their work computers, and at least half of those are targeted at children. Perhaps, as Chris suggests, the kids are asking their parents to check on their Neopets at work or see if the latest friend request on Myspace has been approved?

 

I guess it's at this point in time that the corporate security folks start shaking their heads, and blocking access to social networks, updating those URL filters, tightening up the rules on the firewall.  You know the drill. 

 

Hold up.  Whoa.  Stop. 

31% of our survey respondents reported that Social Networking is critical to business - but must be secure and compliant, citing business benefits from better employee communications to improved marketing communications, more efficient recruiting and faster decision times through collaboration as the key benefits that social networking delivers.

 

But that's not all.  40% of our survey respondents derived their information about their employee social networking usage from URL filter logs.  The Web 2.0 applications and real time communications tools that make up the social networks and the internet that we use today are highly evasive, specifically designed to get around Web filtering, firewalls and other traditional security solutions using a variety of techniques like port crawling, tunneling and onion routing.  So the reality is probably that there is a lot more of this traffic that folks are just plain NOT SEEING, let alone managing.

 

I'll leave you with the thought that our web 2.0 world is no longer about blocking (even if your traditional URL filter could..) it's as we at FaceTime say (and our survey respondents agree with resoundingly)  - our new social order needs enabling, just make sure that it's done securely and compliantly.

 

Every self-respecting marketing person would dress up like a hippie for the sake of a marketing promotion, right? Well, Sarah Carter and I would, anyway.

 

You see, here at FaceTime, we're all about peace, love and free URL filtering. Okay, yes, it's a promotion we've been running for the past couple of months, but we really do feel the love when it comes to helping our customers manage their budgets by eliminating URL filtering renewal fees. Rumor has it there will be a group of protesters at the RSA Conference next week speaking out against those fees so be sure to stop by the FaceTime booth #2339 and check it out. And don't forget to wear your tie dye.

 

Seriously, all this commotion and protesting, but we really don't have anything against URL filtering. Everyone needs URL filtering, it's just that it's not enough when it comes to managing the New Internet. A much more granular level of application control is required when it comes to securing and managing Web 2.0 including social networking, multimedia, virtual worlds, VoIP ... and the list goes on.

 

So we've been having a lot of fun with our No URL Filtering Fees promotion in our Larissa and Sarah Show episodes. NetworkWorld even called our YouTube videos quirky. We'll take that as a compliment.

 

Peace out. 

 

I read a report from Reuters about British Think Tank, Demos, saying that bosses shouldn't stop their staff from visiting social networking sites because it could actually benefit their business.  Music to my ears I thought.  I'm obviously pretty pleased with the conclusions that they came to, not least because it absolutely marries up with the results of FaceTime's fourth annual survey  of Internet Trends  (more on this in a moment), but it marries up with how I work.

 

The Demos report concluded that

 

"The value of networking within an economic downturn is perhaps more important than ever and I believe it could mean the difference between a business collapsing or capitalizing on the tricky conditions."

 

Paraphrasing the report, it means that employees should be allowed to use MySpace, or Facebook, because there is very little difference between social networking and professional networking.

 

The FaceTime survey also looked at the changing way in which IT professionals and employees use the Internet. This year, 81% of survey respondents said they use social networks at work for personal reasons. But what's interesting is a nearly equal number - 79% - said they use these sites for business reasons. And 51% are accessing them several times a day. 

 

  I'm definitely one of those 51% of the 79%. You'll find me regularly on LinkedIn and Facebook, both for social and legitimate business reasons.  I actually think that my local supermarket owes me some coupons or at least a pat on the back.... I recently posted a tip on Facebook about beating the credit crunch with a special deal they had on some wine, and I know for certain that my buddies bought at least 5 cases.  So Tesco, if you're listening....you know where I live.

 

However, there's one point in the report that I don't agree with.

 

"Bans on Facebook or YouTube are in any case almost impossible to enforce; firms may as well try to put a time limit on the numbers of minutes allowed each day for gossiping." 

 

You see this is one of the great things that FaceTime - and our flagship product, the Unified Security Gateway (or USG) does. 

 

Ban the access if you want, USG lets you do that.  Or, enabling you to truly realize the value of networking, it gives you granular control over who can do what. Whether its downloading one of the more than 20,000 thousand applications on Facebook, or setting who can use AIM or Yahoo! Messenger or GoogleTalk or myriad other real time chat and communications tools. 

 

So while we can't stop the gossip around the real water cooler, we can stop them getting to the virtual one!

For the fourth consecutive year, FaceTime has commissioned a survey of IT managers and end users to track the use of Internet-based applications - things like IM, Skype, P2P, social networking and other Web 2.0 apps. We also surveyed employee attitudes toward use of those applications and their impact on IT and the organization in terms of security, data leakage and compliance.

 

As in prior years, the research was conducted among a large sample of corporate IT managers and end users across all size organizations in North America, UK and Europe. The research study includes compiled data from more than 500 IT managers and end users. The results are quite revealing.

 

 

 

• Use of consumer oriented Internet applications has reached 97% of organizations, up from 85% in 2007 and, on average, companies report 9.3 applications in use by its employees on the enterprise network
• 73% of IT managers report at least one security incident as a result of Internet application usage; Viruses, Trojans and worms (59%) are most common, followed by spyware (57%) for a close second
• 37% of companies report an instance of non-compliance; 27% report accidental data leakage
• IT managers report an average of 34 incidents per month, and the largest companies project $125K monthly to remediate Internet usage related security, compliance and data leakage issues
• 51% of end users access social media sites at least once per day and  79% of employees use social media (Facebook, LinkedIn, You Tube) at work for business reasons
• Sixty-eight percent of IT managers have archiving and retrieval methods for corporate email. About half that many--31 percent--store IM communications. One in four has copies of audio conferences (25%), while slightly fewer (20%) archive corporate Web conferences
• If requested by corporate attorneys to reproduce IM communications--in the event of a lawsuit, for example--51 percent of IT managers could not do it. Thirty-eight percent because they have no such capabilities and 13 percent could do it but not in any practical time frame
• Unified Communications suites exist at about 29 percent of IT respondent organizations. Ten percent have deployed pilots to a limited number of users, while 19 percent have deployed UC for the majority of their endusers

We'll be delving into various aspects of this exhaustive survey in the coming weeks, to break down just what this data is telling us about what's happening on corporate networks and what it means to both IT managers and end users.

When one of our lead researchers, Chris Boyd, started looking into MySpace hacks and scams over a year ago, some of us at FaceTime questioned whether that was the best place for him to spend his time. Was it relevant to the business IT market that we serve?

 

Absolutely. The ability to control how employees use social networking on work computers is one of the key topics of conversation we have with new customers. We've heard from customers that they can't block MySpace and Facebook because their HR departments use the sites to do background checks on potential employees. Many organizations are also setting up company-oriented communities on Facebook. We've spoken with companies who have lost new employee candidates because of their policies against use of Web 2.0 including social networking and instant messaging - these companies are perceived as legacy and uninteresting places to work.

 

MySpace and other social networking sites have entered the enterprise, and business leaders together with IT have to figure out how to turn it into an advantage for the company. It's a much larger issue than simply making a binary decision to block or allow it.  Do you block it all, or do you allow some users or some aspects of it?  What are the cultural and employee morale issues if you shut down access? 

 

I have a good friend who works at a satellite office for a Fortune 100 company. His Internet is locked down beyond belief. Yet, the posters on the wall from the corporate office highlight value statements about "innovation" and other rhetoric that seems to me at odds with their Internet policy. I'm told that the morale there is a mess. Is there a relationship?

 

FaceTime is not in the business of establishing the Internet access policy for our customers.  We are in the business of enabling them to enforce their desired policy for Web access including control of MySpace and other social networking sites. But, my contention is that it's not soley a matter of whether or not MySpace, Facebook etc. have a business purpose. The real point is that employees feel they have a right to use whatever applications or online sites on their work computers, and IT has to maintain the integrity of the network despite this trend.  Bringing these two perspectives together for the benefit of the business is where the challenge lies.

When something works others will adopt it. It's true whether you are talking about TV reality shows, green products or IT security.  This was evident at the Gartner IT Security Summit  that I attended last week, where there were several references in the keynotes and breakout sessions to the trend toward end user adoption of collaborative applications such as Facebook and other Web 2.0 apps.  

 

The current catch phrases are based on the premise that the Internet has changed. Some call it the "Consumerization of IT," some call it Enterprise 2.0 - and I believe I even heard it called "People-Based Computing." (PBC)

 

No matter what you call it, IT security administrators must make a judgment call about the usefulness of these new real-time Internet tools and whether or not to spend money on security and management solutions. Are employees really going to use these tools to do business? Or are they virtually hanging out with friend on MySpace during work hours? And what if MySpace becomes Facebook, or Second Life, and then Twitter or Pownce or a widget... or whatever else the latest Web 2.0 application is?

 

The lines between work and personal time are blurring more than ever, and IT is continually challenged with "the next new thing." The new Internet will create new strategic issues to sort out over the next few years. Will a SaaS model for security be considered?  How will virtualization impact security deployments?  These were the types of issues that were raised and debated over the three days.  All said, a solid conference that offered a combination of actionable recommendations and thought-provoking considerations.

 

By the way, Google started its keynote at the Gartner IT Security Summit with a message about collaborative applications, and I was pleased (and proud, I must admit) to see their reference to our very own Chris Boyd as a contributor to their security efforts.

At 3 pm today, I was in my office working on my expense reports. A colleague here at FaceTime popped his head in and said "you do your expense reports during work hours?"

 

What exactly are work hours?

 

For professional workers, there is no such thing any more. That's pretty clear to me, as I get ready to post this around 9 pm. Joe McKendrick over at the FastForward blog thinks so too.  The lines between work and personal life continue to blur. Expense reports, employee reviews, press releases, product plans... they all need to get done, and it doesn't really matter when you work on them. My guess is that if employers started saying "your work hours are 8 to 5" there would be a lot less work accomplished. No one at FaceTime would ever attempt to define my work hours, for this very reason.

 

In contrast, though, my neighbor told me recently that the NCAA Web site was blocked by his employer during March Madness - so he called in sick on a Thursday to watch a day of college basketball from home since he couldn't get to it while at work. 

 

Scenarios like this play out in companies all over the world every day. And when employers block or put limits on what their employees can do, does it really solve the problem?  Or create a bigger one?

 

We've seen time and time again that users will continue to do what they need and want to do.  Take something as simple as setting email size restrictions - users will find a work around, either using their personal Web mail or a file transfer via IM. Are you better off with that outcome?

 

According to Wordtracker, over the last 100 days there were a little over 20 Google/Web searches related to "block facebook."  Presumably a combination of IT Managers, parents and educators are looking for information about how to restrict access to social networking. 

 

But contrast that with the 359 searches by users looking to "unblock facebook."  In total, more than 10,000 searches were made in the same period related to unblocking websites, social networking sites, using anonymizers, proxies and other related searches. 

 

We're always socializing. We're always working.  And users will always look for the work around when they are cut off from either.

 

I saw some interesting articles from the NY Times and the Enterprise 2.0 blog  last week about the vast number of Web 2.0 applications that are being used in corporate America - even though IT security feels that they have their environments locked down to prevent these apps from being used.  In his Enterprise 2.0 blog, Steve Wylie commented on the NYT article, pointing out that "the reality is that these apps are here to stay."

 

We've been tracking this trend for several years, and it's definitely growing - in fact, many companies are now facing the reality head on. I spoke with a large pharma org in NJ very recently that mentioned they have already setup MySpace and Facebook pages to allow their corporate users to collaborate internally and externally using these tools. 

Although this is probably frightening and new information for many security and compliance execs, this is the same trend we've seen happening since 2001 when this issue first appeared with the emergence of public IM usage within corporations.  The customers we spoke with back then told us the same story that people are saying today which is, the user population feels that they should be able to use these applications because they make them more productive, responsive and connected employees. 

 

From an IM perspective, this feeling turned out to be 100% true which is why so many companies are now broadly rolling out Enterprise IM and UC solutions.  Based on that history, its important for executives to quickly understand that this trend will continue and if they want their organizations to stay relevant and competitive, they should move to implement solutions that allow for the enablement of these applications so they can be used in a secure and compliant fashion to take advantage of their value, rather than spend time and money trying to find ways to block their use outright.

 

A recent SC Magazine article also covers this trend very well. With Generation Z's arrival in the workforce, IT faces a new group of workers who have "never taken a breath of air without being able to Google."

 

What's your opinion? Block or enable?

You might want to keep an eye on your honesty levels over the next few weeks where Facebook is concerned - sometimes trying to find out more than you're entitled to will bite you on the backside as we're about to see.

You may or may not be familiar with the "Honesty Box" application on Facebook - like similar features on Myspace etc, it allows people to leave entirely anonymous messages on your Facebook page to the tune of "I love you" or "You're a big stinky head" leading to hours of fun for all the family.

It seems a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, promising to "reveal all" with regards who called them an idiot at 2 in the morning:



The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger / Trojan / Virus of the attackers choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you.


 This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attacted by the lure of "really secret stuff".

Avoid!

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

More often than not, most DIY programs I see tend to be on the murkier side of "designed well". In fact, it's more like somebody threw up on their coding tools. However, sometimes a leet hax program comes along and despite the horrible things it does, you can't help but be impressed by the design and general stylistic trappings.

The creators will still burn in Hell, of course.

But ooooh - shiny. Blinky.

Anyway, here it is - the Phish Pharm:




In case you're wondering, the fake Phish pages are in the Source Files Folder, and the two programs used are underneath. Let's take a trip to the pharm - sorry - first.

I'm amazed by this - my good friend LoLo (who was writing about & shutting down Myspace scams when I was knee high to a grasshoper or something) has been sent a frankly ludicrous scaremail by EBay / Paypal, in relation to a screenshot of a phishing mail in a phish dissection post.

Seriously.

Dear ISPrime, Inc.,

We have just learned that your service is being used to violate PayPal trademarks and/or copyrights. Specifically, it appears that an ISPrime, Inc. user is hosting a page at 64.111.214.22 - http://www.ghettowebmaster.com/images/paypal-phishing-email.gif which uses our trademarks inappropriately.

While we believe that the above information gives your company more than a sufficient basis for disabling the page immediately, out of caution we note that your user's unauthorized reproduction of PayPal trademark and copyrighted materials violates federal law, and places an independent legal obligation on your company to remove the offending page(s) immediately upon receiving notice from PayPal an eBay, Inc. company, the owner of the copyrighted materials. Accordingly, the information below serves as PayPal's notice of infringement pursuant to the Digital Millennium Copyright Act, 17 U.S.C. Section 512 (c)(3)(A):

It gets better - or should that be worse:

Finally, please be advised that we have referred this issue to the Federal Bureau of Investigation for their investigation. The F.B.I. has requested that we convey to you in this message their request that you preserve for 90 days all records relating to this web site, including all associated accounts, computer logs, files, IP addresses, telephone numbers, subscriber and user records, communications, and all programs and files on storage media in regard to all Internet connection information, pursuant to 18 U.S.C. ? 2703(f). While we do not act as an agent of the FBI in conveying this request, we do intend to fully cooperate with their investigation, and encourage you to do so as well.

eBay/PayPal Inc.
Audit and Investigations
securityalerts@ebay.com

Jaw dropping. Did the person who initiated this fiasco not bother to check the original post? Because if you're going to dissect a phishing mail while warning people about it, it tends to help if you put a screenshot or two up. However, rather than go after the phisher, they tried to swing the banhammer at the good guy. Generally, you'd think people who are doing your brand a favour by alerting the general public to scams regarding your website are NOT the people you should be aggravating, because good will and a general desire to help quickly evaporates when faced with stupidity such as this.

If you run a security blog and happen to get one of these wonderful missives sent to your ISP (or even better, through the post) then please, let us know. As for EBay / Paypal - taking ten seconds to digest the content of a blog post works wonders...

I regularly see a lot of extremely dubious and rather slimy techniques deployed to get end-users to run horrible things or fall for scams. Generally, the targets tend to be the technologically inept or granny, sitting in the corner. See granny? Sure you do, she's right over there replying to the Third King of Nigeria and helping him out with his cash relocation problem.

However, I've come across a scam rapidly spreading across numerous underground forums and IRC channels that is truly one of the scummiest tactics I've seen in some time.

How bad? Allow the following screenshot to spell it out for you.



Ladies and Gentlemen, allow me to present you with the winner of the Lowest Tactic Used in 2009 award. Do your kids play Neopets? If they do, you might want to read this and gently warn them of the dangers.

Neopets: What is it?

From Wikipedia:

Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia. Visitors can create an account and take care of up to four virtual pets, buying them food, toys, clothes, and other accessories using a virtual currency called Neopoints. Neopoints can be earned through playing games, investing in the game's stock market, trading, and winning contests such as customization and art. Neopets also operates a pay-to-play version known as Neopets Premium, which offers additional features and benefits for a monthly fee of $7.99 (USD).

The scam is based around one of the core mechanics of Neopets: kids love rare items and things that nobody else has. Neopets has magical paintbrushes - stay with me on this - and they're rather hard to get hold of nowadays. As an example of that, here's a petition posted in 2004(!) that people are still posting comments to. In addition, here's a list of current prices - now consider a newcomer to Neopets starts with the rather paltry sum of 1000 Neopoints, and you can see why there's a desire for these items.

This is where we target some 12 year olds with social engineering. Oh dear...

The Method

Neopets is effectively social networking for younger kids and some teenagers. Or, as someone on a hacking forum put it while discussing this particular attack,




...ouch. No surprise, then, that the site has many communal areas where people can chat, hang out, send each other messages and see what's going on. Our hackers will move to the trading areas, where kids can post requests for items they'd like to buy, sell or trade. Then it's just a case of hunting out posts like this....

 

At InfoSec Europe 2009, I gave a talk about the problems companies will face as they move to services of a 2.0 nature. What follows are my Top Five Tips for tackling some of these issues - they seemed to go down quite well, so hopefully there's something in there you can make use of too.

TOP TIP ONE: Put someone in charge of Social Networking in the workplace.

I noticed as I was talking about sites such as Twitter, Yammer, Present.ly etc that nobody in the room of about 130 people had used (or in most cases even heard of) any of these websites.

My concern with this is that I can guarantee there's some degree of what I like to call Intellectual Property Spillage going on. In other words, random employees and marketing bods see these new sites, think it's a good idea to be on them and then before you know it, there are unofficial presences all over the place and it becomes difficult to control exactly what's going on.

When I spoke about this issue recently, a chap in the talk went off and came back to me half an hour later. He told me he was amazed to find something like five groups set up by staff on Facebook, a Youtube page and a Yammer account - all out there online, doing their own things.

I was pleased to see a rep from a major music company approached me after the InfoSec talk and told me his company specifically employs someone to go around all the 2.0 sites registering "official" presences on these sites and keeping an eye on the oddball accounts.

Works for them...

TOP TIP TWO: Enforce a set of rules with regards what NOT to put on sites like Yammer

Yammer is basically Twitter for business users. Anyone from a company can set up a "private" Yammer account for the group, and then invite other employees to start posting about what they're working on.

The problem here is that many companies rush to join services like Yammer, post up a whole bunch of information that could be somewhat sensitive and then abandon the account. The following screenshot says it all:


Click to Enlarge

As you can see, the last post was four months ago, with all that company specific information just sitting around, doing nothing. In addition, Yammer profiles want users to fill in a ludicrous amount of personal information. Full name, title, start date, significant other, kids names, birthday, interests, work / mobile phone, previous employers & start dates...and that's only a portion of the data requested. It's a social engineers dream, assuming they can trick a Yammer user to hand over their login OR pull off a successful phish attack.

Even better, you can view the company user list and see who has the most followers - assuming the most followed people are likely to be the most relevant / important people there, you're painting a huge bullseye on the "Staff who most need to be stalked".

My advice? If you have someone keeping an eye out for 2.0 sites / groups related to your company, ensure services such as Yammer are top of the list...and think carefully about posting sensitive company information. It'll only take one solitary phish to cause a lot of problems.

TOP TIP THREE: Keep real world friends & work associates OUT of your top 10 friends on Myspace

Yeah, Myspace is somewhat looked down upon by all the cool kids but whatever. There's still a lot of early adopters out there who use it successfully for networking, and it's still a powerful marketing tool for certain types of product / company / dreadful Emo bands.

Myspace is also notorious for troll groups and general idiocy. A typical past-time for trolls is to find out personal information, then cause trouble in the real world. Hassling people at their place of work is always great fun for them, or if that should fail, causing trouble for friends / work colleagues.

They do this by seeing who sits in your "Top five / ten / whatever" list of friends, on the basis that most people will (naturally enough) place their real world friends / workmates in that top position.

You know what I'm going to suggest, don't you? Take all your real world contacts and place them OUTSIDE the Top Ten Friends list. Put all those random people you accumulate - the bands, random additions, people you talk to on a forum once every blue moon - in the top spot. When the bad guys go trawling for information they can use against you, they're not going to get very far when they're wasting all their time conversing with German rock guitarists and spambots.

TOP TIP FOUR: Avoid the "Life story on Linkedin" approach

Yes, Linkedin is a useful way to make business contacts, see who is going to relevant events and so on. However - when I was at InfoSec, I was taken by how many people basically treat it as a posh version of Facebook and competing with people they know to see who can get the most "friends".

This is a TERRIBLE idea. Consider this - Linkedin works by constantly, endlessly nagging you to fill things in, complete this, flesh that out to hit utterly meaningless "targets".




Think about the amount of personal and business related information you're adding to your Linkedin page. Consider it's likely to be similar to the kind of data you're putting onto the more private Yammer account that only your workmates can see, only HERE you're making it viewable to all those random additions to your contact list.

Is that really a good idea? It's not hard for a social engineer to create a fake profile on Linkedin and go roaming - especially while people seem to be treating it as a popularity contest...

TOP TIP FIVE: Delete old Twitter messages (the "five a day" rule)

If you want to build up a picture of a potential target, Twitter is the place to hang out. It's random, it's stream of consciousness and no matter how hard the person posting tries, even a person who carefully considers what they post is going to leak some personal data about themselves that they'd rather not share.

It doesn't have to be anything spectacular; it's just an endless series of useful nuggets that someone, somewhere can use to build up a picture of you and do bad things. It's surprisingly easy to work out where someone lives (for example) when they're doing something as basic as posting region specific pictures of buses in their area on twitpic, for example.

To some people this isn't a big deal; to others who want to keep their location more anonymous than most, they probably didn't stop to think something as basic as posting up a picture of a bus could reveal their location.

In the same way, now so many people use Twitter for business related things it's easy to imagine that over time someone might have posted things that could be used to flesh out a target. Want to go dumpster diving? Well, what time does the only guy in his office go on his coffee break at? Oh look, according to Twitter he goes every day at 10:30AM, and we know he's the only person in there because he says he locks up...

Anyway, my advice is this - if your business world crosses over into your Twitter posts in some prominent way, you might want to consider deleting all but your five most recent Twitter posts. Do you really need them all lying around, waiting to potentially cause problems further down the line?

That concludes my "Top Five Tips". You might not agree with all of them (and feel free to share your own!), but hopefully there's enough in there to give some pause for thought the next time a 2.0 site is begging you to fill it up with an endless stream of information.

If you use Facebook, Myspace or any other Social Networking site you'll no doubt be familiar with messages like this and this. typically, they all involve sending them to an endless stream of participants, lest you suffer bad luck in the form of being hacked, losing your job, dying horribly or being stalked by vengeful ghosts for the rest of eternity.

Of course, it's all nonsense.

Well, illustrating that you're not safe from these kind of chain letters regardless of which digital domain you happen to use, here we have multiple instances of chain letters making their way to the XBox Live gaming network.

Over the past few days, large amounts of people are reporting being sent messages from both friends and complete strangers over the XBox Live messaging system that contains nothing other than this:

As mentioned in this post, this is a program we originally came across way back in July 2008 via a tipoff from an anonymous source. At first, we were a little puzzled as to its purpose and our anonymous source vanished into the ether so no additional information was forthcoming.

All we knew was that it allowed us to browse nothing but Myspace. Specifically, Myspace Groups. When the browser was opened up on the desktop, it would automatically take you to a random Myspace group with no way to enter a different URL, and the display simply showed "previous URL" and "Group ID" in the middle, with a collection of buttons to the left.

"Previous", "Next", "Topics" and "Lottery".

Here is the "Lottery Browser" in action. Note that the browser in its default :


Click to Enlarge

After a little playing around, we noticed that continually hitting the "Lottery" button would (naturally enough) take you to a different group. Depending on how the groups were set up, some were openly accessible, and some displayed "This is a private group".

However, it's the private groups that were of interest where this browser tool was concerned.

If you hit the "Topics" button and the group had no content in it, you'd see the following popup:



If you came across a private group that had posts in it and hit "Topics", this is what you'd see instead:


Click to Enlarge


All of your private topics are belong to us.

Now, I should stress - in testing, this browser rarely worked. More often than not, it would crash, hang, set the monitor on fire and burn down the house, those kinds of things. However, the potential for data theft (depending on the foolish things people post in "secret" groups"), information harvesting, harassment and plain old creepy voyeurism was still a risk where this "Lottery Browser" was concerned.

We don't know where it came from, and it seemed to die a death shortly afterwards. I'd have thought something like this would have spread like wildfire on the underground circuit, but it vanished almost as quickly as our mysterious tipster.

I suppose we should be thankful...

For a long time, I've been fascinated by what I like to call the "Rogue web browser" - a web browser that abuses the trust we place in our gateway to the web, and subverts its use for something more sinister. Here's a brief potted history of the known examples:

Yapbrowser, April 2006: A web browser that didn't force install, asked permission and displayed a EULA. Unfortunately, it also took you to a webpage pushing hardcore child pornography when you typed in any address into the web-browser.

Safety Browser, May 2006: A web browser that installed without permission via IM, looped a soundfile on your desktop, served you ads via geolocational technology and made your PC more unsafe than it was previously by allowing popups by default.

Browsezilla, June 2006: Allegedly inflated the hitcount of pornographic websites by opening up those pages in a way that the end user couldn't see the pages being opened, linked to sites launching the WMF exploit.

NetBrowserPro, March 2007: Pushed fake media codes, installed a rootkit, preyed on trusted brands.

Well, it's been a while but later on we'll be covering another addition to the list. We actually came across this last July, but as we said here, we didn't go into specifics because

1) We wanted to give Myspace some time to address the problem, which they seem to have done.

2) We didn't want lots of crazy people to go hunting for the program being used, given that Myspace sometimes takes a little while to tackle security issues brought to their attention and

3) Nothing tried to exploit your PC or steal your data, or we'd have released more information sooner. The solution to the problem caused by the program was simply to not post any personal or potentially "sensitive" information to private Myspace groups - if you weren't doing that (and you shouldn't be anyway!) then you had nothing to worry about.

4) The program itself was rather buggy, and had an extremely low rate of success. After exhaustive testing, we only saw it do what it was supposed to do twice. No sense in causing a panic.

At any rate, it's been eight months and the program doesn't appear to work at all now. With that in mind, we'll take a peek a little later on...

This arrived in my mailbox a few days ago:

Yes, our least-favourite Facebook "friend" is back on the scene, infecting PCs as it goes. This time round, the scam involves taking you to a fake Youtube page (that actually looks more like a Myspace player...doh), claiming it's a "Secret video from Tom". Click the video, download the supposed "Flash player update" and run it to ruin your weekend.

If you want to go down a different route however, when you see a message like this from your friend:


Click to Enlarge

Delete it, and let your friend know they have a problem that needs fixing in a hurry! As you can see, most of the messages in this latest wave play on the fear of being seen in "mysterious" videos being spread across the web. The main one being publicised at the moment is a message with the title 'You look just awesome in this new movie.' However, there are plenty more variations out there - the one above, for example, says "Don't worry; the whole Net will see this video".

For the curious, the fake video player page will look something like this:


Click to Enlarge

We detect this as Koobface, rather unsurprisingly!

Bands on Myspace have been targets of hackers, scammers and phishers for quite some time - grab the account of a popular artist or twelve, and all Hell can break loose. I was surprised to see this when doing a few searches on Myspace earlier today:


Click to Enlarge

As you can see, the "official" band profile is surrounded by a striking red border (no, we didn't add that ourselves) and it says "Myspace Verified - Official Artist" at the top. This is a great way to cut down on the possibility of scammers impersonating legit acts. Not sure how long this feature has been in place, but a good idea methinks...

In the last few days while randomly clicking around Facebook, I was surprised to see
this appear when clicking an external link:


Click to Enlarge

Not sure when they started doing this, but definitely a good move as more and more people continue to target Facebook. Of course, Myspace have been popping up a "You are about to leave..." page for quite some time - out of interest, does anyone out there know of other types of website (non social networking ones) that have to resort to this kind of thing? Or is it only the 2.0 sites that have to pop up these warnings all the time?

I think we know the answer to that one...

A contact of mine passed this URL over to me - it was posted to the Myspace page of his friend a while ago, and he thought there might be something a little odd about it. The site is called

friends-to-friends-only.com

When you arrive on the page, you'll see this:

Shockmemes have become a big deal in hacking circles recently, and whether its catching out priests with Meatspin or leaving a nice surprise on phished Myspace pages, everybody wants a piece of the action. Well, the use of Shockmemes in hacking and cracking circles takes another plunge into the world of bleeding eyeballs and crying children the World over with this latest infection. Currently doing the rounds on the "Let's ruin your day" circuit, this bundle of joy (once run by the unsuspecting Windows end-user) will make your previously beautiful and clutter free desktop....


....look like this:


Oh my, is that 40+ copies of Lemonparty on your desktop? I think it is.

In addition to your new favourite desktop image, you'll find that the author of this file wants you to see more of Lemonparty.

A whole lot more, as it turns out. Within minutes, your desktop will look like this:


Whoops.

Your entire PC has been taken over by endless respawning images of three old guys having the best time of their lives in a hotel room. If you reboot the PC, they'll come straight back. If you go into task manager and kill the process that keeps creating duplicate images, your desktop will be clean for about ten seconds...then they'll come straight back.Your PC will slow down to a crawl, making it even harder to go looking for the hidden files that keep the party going.

Even trying to get screenshots of the files involved was nearly impossible due to the images insistence on hogging every square inch of your monitors real estate. As a matter of fact, when I asked my colleague to grab a shot of the file responsible for bringing the desktop hijacks back to life each time what should pop up but...


This is one party you just can't stop.

We detect this as LemonLover. And this is quite possibly the funniest thing I have ever written about.

Additional Research: Chris Mannon, Senior Threat Researcher

I see all sorts of weird and wonderful things on EBay. Today I'm going to take a look at various hacking sales, and also a bunch of Myspace related "offers". As you probably already guessed, most of this is borderline dubious enough for it to be plastered with notices to EBay about how they "Comply with the Terms & Conditions". With that out of the way, let's dive right in...

Click to Enlarge

Surprisingly, EBay isn't awash with content such as the above. Probably just as well...

You're a leet scriptkiddy and you just hijacked a Myspace profile. Do you

A) Experience remorse and hand the login back to its rightful owner
B) Feel like too much of a wimp to simply give it back, but pretend you "found some logins" and get into your victims good books
C) Insert a piece of custom-made HTML that overlays the entire profile with a fullscreen blast of Meatspin.com?

I see a lot of programs designed to hack the wannabe hacker. It's been a trend for some time now for professional Phishers to offer up Trojaned Phishing kits to newbies (so they can watch the newcomer do all the hard work then snatch the booty at the last second), and the practice of hackers placing bait for wannabes such as this has probably been going on for a lot longer.

In that tradition, then, I have for your entertainment today a fake Paypal brute forcer, which is actually nothing more than a fake front-end, designed to be bound to the real payload which will hijack the wannabe Paypal cracker. Of course, that payload can be anything the creator so desires. Here's what it looks like:

Hmm, something doesn't look right about this person on a random friend list I came across today:



Why hello there, "Freddy". Should you visit the profile, Freddy seemingly has a rapid identity change:

I saw a message on Twitter here from one of my contacts, and decided to go check it out. What I found was an unhealthy dose of spam profiles all pushing the same collection of products (most of which seem to be purchase only).

The product being promoted here is something called "Twitter Friend Adder" which costs $50 to buy. Here's the profile in question:



Click to Enlarge

In addition to the profile site_test3, there's the original site_test profile and numbers 2, 4 and 5. In addition to those, there are what look like more placeholder profiles that haven't been made live yet numbered 6, 7, 9, 10, 11, 12, 13, and 14.


Click to Enlarge

Reminds me of the way people create sock-puppet accounts on Myspace...

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

The Facebook News Feed is something that tells everyone on your friend list what both you (and everyone on your friend list) is doing, and it's the first thing you see when you login:



Effectively, it takes bits and pieces of all the smaller feeds and rolls them into one. However, imagine instead of the above in your feed, you see something like this:


Those are customised messages inserted into your feed - and there's a good chance everyone on your Friends list will see it on their own feed when they login to Facebook.

This would happen because someone has made a Bot for Facebook that allows you to insert your own custom message / image / clickable link into your Facebook feed. I've no idea if this is against the Facebook Terms of Service or not, but I can only imagine the chaos that would ensue if someone purchases this application then decides to use it for nefarious purposes. It's being promoted as a sales / marketing tool, but from a security standpoint it seems potentially disastrous.

If a bad actor buys their own Bot, imagine the Myspace-style spam campaigns that could take place...everything from malicious URLs to obnoxious flashing banners could be the order of the day. At the very least, one would hope the makers of this Bot have some quality control going on with regards Bot owners. More here.

/ Hat-tip to LoLo

Spotted in the wild (like they're spotted anywhere else!)

Apparently the following happened while someone tried to view a blog post:

In the last few days, we've discovered a program that attempts to get around certain privacy related features on Myspace groups (which are effectively mini-forums run by Myspace users). Note that the program doesn't attempt to do anything to individual end-users like infect their PC - and as long as you're not posting up personal / private information to Myspace groups that you don't want to risk being grabbed by nefarious individuals, you have nothing to worry about. (As a general rule of thumb, you shouldn't post sensitive information to any third-party website in any case, but that's another story).

We're not posting up any additional information at this time, because we don't want to cause a mass stampede by people to grab the files in question and start using them left, right and center until Myspace has had a chance to tackle the problem.

For now, we've passed on everything to Myspace and hopefully they'll be able to resolve this speedily.

I've had a few people mention "odd things" happening when trying to install an application on Facebook called "Gridview". Well, I decided to try it out. On the install screen, you see this:

Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.

Link here.

A lot of wannabe hackers - kids, mostly - have the idea to set up a forum, then go running to the first free forum provider they can think of. In my experience, just because the host is free doesn't mean they'll automatically be a host that tolerates hackers, spammers and all the other nefarious characters out there (in fact, it was a free host that actioned the quickest takedown I've ever been involved in - from start to finish, something like four minutes in total).

Anyway, I see this on Myspace:


When I arrived, the site had already been shut down but it's the page displayed that makes me curious:

I'll be writing a series of blogs looking at the problem of Myspace Trolling, which has long since gone beyond the point of no return. People who pretend to be Pirates - please, don't ask - use a combination of system glitches and general foulness to make the Myspace experience as unpleasant as they possibly can. Moderators and Forum Owners complain to Myspace all the time, seemingly to no avail - when are Myspace going to tackle this issue head on?

See the first writeup here. Subsequent articles will be found under this tag.

A new one to watch out for - a random friend request which turns out to be a page littered with horrendous spelling mistakes and the promise of getting rich quick:




Some of the better ones include "Ah Now Dont Give Me that Griny Smile huh ..!", "I was Enving him" and my personal favourite, "Look Here i am sharing this with all Myspacian's".

..........oh-kay. Clicking the link takes you to a paid survey site, which throw up a popup saying "I will NEVER share your information with ANYONE! I hate spam as much as you do."

Someone should tell that to whoever signed up to their affiliate program...

The fake Windows Update popup has been doing the rounds on Myspace for a long time (we're talking at least June 2007). Every now and again it returns, usually varying the payload. Well, here we have an example where Phishing is involved and a sneaky imitation of a well known security program is thrown in for good measure. Find out more after the jump...

I had this waiting for me in my Myspace friend request box today:

...uh. I had pegged this as a standard fake profile, but the addition of the personalised "Why, hello there" message wasn't something I'd seen before with one of these fake profile requests. A look at the profile, and...

Click to Enlarge

.....strange - not the usual fake profile hurling adverts for ringtones, Adware and who-knows-what at me. It's a bit arty, a bit daring - certainly in your face, but for once, it's not adverts and scams in your face, and that's a refreshing change. Could it all go wrong with the "About Me" text though?

Apparently not. There's no mention of the latest Viagra pills or even a webcam. This is weird. It's almost too good to be true.

Almost.

Click anywhere on the page, and (courtesy of an invisible overlay)....

Click to Enlarge

Doh! And we were doing so well for a while there...

In January, everything went a little crazy because of a Facebook application that (if you believed the hype) force installed Zango, hijacked your PC, set fire to your house, killed your pets.....well, you get the idea. In actual fact, the truth of the matter was a little more convoluted. All I could see was that this application opened up a popup, which (every now and again) would just happen to be an advert for Zango. Hardly Earth shattering, but of course it did switch people on to the fact that they needed to be careful which applications they gave permission to access their data while on Facebook.

Well, a few months on and it looks like the BBC had a coder create an application (in three hours or less) that could swipe a whole pile of data on both you and your friends, before mailing it back home to base. I can't stress enough - when it comes to social networking sites, NEVER post anything you wouldn't feel comfortable posting on an otherwise open and accessible site such as your blog, personal website, whatever. I have pages on Myspace, Facebook, Orkut and a whole bunch of others - and there is NOTHING on them that you couldn't find elsewhere. There is no hidden treasure trove of data to mine, and so I don't care what happens to it because it's all out there in the public domain anyway. This is what I've been telling people for the longest time, and it works.

A few days ago, I talked about the oddly intrusive chat attack I experienced, and how FaceTime products can control / lock down / fire into orbit Facebook applications where necessary. To date, there haven't been any applications out there that have gone in and done all sorts of horrible and malicious things to end-users on Facebook. Personally, I've been more concerned about applications that allow people to post a seemingly endless and imaginative array of body parts in various comical situations. Nobody really wants that all over their desktop in a regular workplace environment, right? However, this seems to me to be a warning shot of sorts - a warning that we not only need to consider locking down applications that cause annoyance and embarrassment, but also to keep an ear to the ground as we await the inevitable arrival of the "I BREAK STUFF" application.

Coming soon to a Web 2.0 site near you...

April 1st, 2008: Who Is Watching the Detectives?

We write about an interesting "system error" (as Myspace called it) that allowed people to track other Myspace users that were visiting their page, after having notified Myspace about this issue.

April 16th, 2008: Who Is Watching the Detectives Part 2

This still hasn't been fixed, and (worse still) it looks like this has been in circulation since at least October 2007. Hurry up, Myspace...

April 30th, 2008: It looks like this has finally been fixed, and it's no longer possible to auto subscribe visitors to your video subscription channel. Hooray! Score one for the good guys - that's one less tool hackers, Myspace Trolls and crapflooders can use to game the system.

One down, plenty to go....

I swear these programs keep getting smaller. Weighing in at around 30 kb, one of the newer automated phish creation programs currently in circulation. Behold, a strange cube icon on your desktop:

Run the program, and you end up with a devastatingly idiot proof phish creation tool. In a nutshell, you enter the URL of the site you want to target and also the place where your phish script is located. It sucks down the content of the target site and jumbles it up with your phish script - hey presto, one Phish page ready to roll.

Facebook...

Click to Enlarge

Myspace...

Click to Enlarge

And, just to show that it will suck down pretty much any site you enter, here's Google search engine...

Click to Enlarge

On the bright side, this one doesn't come with spoken help files...

A few weeks ago, I wrote about a technique that could be used to track the people hunting bad guys on Myspace. Well, I was curious how long this had been in circulation for. Thankfully, some of the people using this are pretty stupid so of course, wandering through their photo galleries proved particularly useful:

Check out the date - October 26th, 2007. So this has been in circulation since at least that date....oh dear. Note that this particular individual talks about using it in conjunction with IP trackers, too. I've been somewhat out of the loop on this one due to attending conferences, but I've just tried it out again and can confirm that it still works.

As we said in the original blog entry, if you don't want people to track you in this way (until Myspace actually fix this) then add the following to your HOSTS file:

vids.myspace.com

...and you should be fine.

It's well known that law enforcement, security researchers and groups that track down / remove pedophiles, trolls and crapflooders from Myspace spend a lot of time networking, watching profiles, tracking dubious individuals through their postings, friends lists and other things too numerous to mention.

It's a tricky business, and can potentially place people like myself at great risk of being found out, exposed or run over the coals if one of these bad guys works out you've been trailing them for the past three months.

What happens, though, when the bad guys have a method to know exactly who is watching them? And what are the consequences?

Well, ponder no more because they're already doing it. Someone, somewhere has come up with a method to track people using Myspace itself - if you visit that persons profile, they will know who you are and be able to take (in)appropriate action. This method is already in use amongst Myspace trolls, and has been seen pasted to at least one hacking forum. You can bet this is doing the rounds on the underground circuit.

How do they do this?

By taking a few lines of code and placing it onto their profile (note that we're not disclosing any information about the code yet, as Myspace are still fixing this and we don't want to help more people to use this than are already doing so). When you visit that profile, you are automatically subscribed to that persons video channel.

Simple, sneaky, effective. To the regular user, this isn't too much of an issue - people can paste in coded "trackers" onto Myspace pages that attempt to log IP Addresses, browser type, country etc. "All" this does is tell the bad guy which Myspace users have visited their page.

However, this isn't so good for anyone hunting down hackers, pedophiles and other dubious characters because

a) they will know if, say, Paperghost has suddenly started poking around their profile and
b) pedophiles and other predators will spot "Officer Jackson" popping up on their subscriber list and likely go underground or vanish altogether.

Worse, the code can be pasted anywhere - a hacker could place it on their blogspot blog, or a forum, or anywhere else for that matter - if someone visits that page while logged into their Myspace account, they will still potentially end up on the hackers subscriber list.

How does it work?

Well, here is a shot of my friend looking for me on Myspace:

Naturally enough, they find me:

Click to Enlarge

They click on the top link, and visit my page.

Click to Enlarge

However, if they now go and check their video channel subscriptions, they'll find they've automatically been subscribed to my video channel.

Click to Enlarge

At this point, it's time to let my friend logout and log back in as myself. If we now look at a screenshot (which I took myself while logged in), you can see I have a new subscriber - the person that just visited my profile (bottom left):

Click to Enlarge

As time goes by and more people visit my profile, they'll all find themselves automatically added to my subscriber list:

Click to Enlarge

In this way, you will have a record of every single Myspace user that has visited your profile page.

How can you combat this?

Well, it's surprisingly easy to get around this scam (which Myspace are working to fix, by the way - we notified them of this on Sunday, and I know at least one other individual has apparently reported this too). If you're a regular Myspace user, you may not be too bothered by being subscribed to some random persons video channel. If it bugs you, simply go to

http://vids.myspace.com/index.cfm?fuseaction=vids.myvideos

Then click "My Subscriptions", and under the "Subscriptions by User" category it'll show a list of every person who you are currently subscribed to. Click their Username, then hit "Unsubscribe".

Job done.

If you happen to be in Law Enforcement, Security Research (or happen to be anyone that doesn't particularly want to be tracked in this way, for that matter) simply add the below to your HOSTS file:

vids.myspace.com

And all subscription attempts should fail miserably.

The last contact I had with Myspace was last night, and they said

"Hello,
We are working to fix this error. We do not have a reliable estimate at this time.

Thank you,
MySpace.com"

Hopefully, they will fix this quickly. The damage is already done, and bad people are using this to full effect. The issue here, is that the only people who seemingly didn't know about it were the good guys - the ones most at risk from this code. The only way to mitigate this risk to people hunting the bad guys is provide a simple (yet entirely effective) antidote to this latest wave of dubious behaviour, which we've provided for you above.

Take my advice and use it until Myspace can confirm this is entirely locked down.

Myspace hacking tools are a magnet for wannabe script kiddies and leet hax0rs. Here's the latest one I've seen in the last couple of days:

....ooooh. But wait, it gets better:

I've no idea who "Paul & Nick" are, but they'll probably attract a fair amount of people to this application (that weighs in at a tiny 24kb in size) before they realise it's a fake. Enter the Myspace page that you want to target (or leave it blank!), hit the "Hack" button and....

Whoops. Thanks to a line of code that says this:

00002A24 00402A24 0 shutdown -f -s -t 0

...the PC (as you probably already guessed) does indeed shutdown:

Click to Enlarge

No lasting harm is done to any PC that the file is run on. We detect this as Myspace.Shutdown.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher

Here's an interesting twist on the usual fake profile invites I regularly receive on Myspace.

Normally, you click the link and are taken to a standard fake profile advertising webcams or something of a similar nature. If you refresh the page, you'll see the same content - just like a regular Myspace profile. Well, in this case the code used by the bad guys means the page is no longer static. Refreshing the spam profile will endlessly cycle through a whole raft of fake overlays and images:

Click To Enlarge The Above 4 Images

All of the above pop up on the profile link I was sent (you can see the URL remains the same in each screenshot).

How do they do it? Well, they're overlaying the profile page with a large clickable image, a common tactic that was used in the Myspace band hacks from a while ago. Here's the code:

In other words, a random image (made to look like a Myspace profile) is served from here:

free-hotwebcam(dot)com/Images/00110/KKD90g4aKKXNSTKhUvj04RO7WQDhw(dot)jpg

And clicking it will take you here:

snurl(dot)com/20h89-holo

Which redirects you to

privaterooms(dot)biz/t-main027(dot)html

...before finally leaving the end-user at the eventual destination of teen(dot)livecamfun(dot)com. The curious thing is, why would you bother to make your spam profile pages dynamic in this way? Once you've seen one, you leave it and don't go back. I can't imagine someone revisiting the page simply because the images keep changing...

I'd been watching the antics of a 20 year old girl from Malaysia who had a serious thing for Phishing. I couldn't have predicted the direction the investigation would take when, quite randomly, I came across the following post with regards one of her former identities:

...."Ribut", eh? Interesting. A quick Google search later, and we find some interesting Ribut-related Phish pages:

...don't bother to look for it, I already had it killed off. What really intrigued me here was if she had any more pages floating around under her "old" username. Using a few search strings that tend to reveal some of the more "obvious" password-stealing fake logins via Google, I stumbled across a rather unusual way of keeping an eye on Phish pages:

There she is, buried in a pile of other phish pages. What is that a screenshot of, I hear you ask? And why exactly is she buried in a wall of phish? Well, note the title - "Where can I find these ads?"

This is a page from advertising network Adbrite, who the host of all these phish pages (2222mb.com) has an account with. If someone wants to host an advert on 2222mb.com, they make their selection and purchase ad space:

However, this isn't the part of the page we're interested in. You've already seen it, above, listing the "most trafficked pages" from the site in question. That's right, it appears that the most popular pages on 2222mb.com are phish pages, going off the information presented to us by Adbrite.

In fact, here's a snapshot of the current set of pages listed by Adbrite as "most trafficked pages":

...is anyone else faintly disturbed that EVERYTHING being listed for this webhost is almost always a phish page?

At this point, you normally contact the host and (depending on a whole range of factors) they kill off the rogue pages in a few days or so. My hopes were high, seeing as another host (110mb.com) with the same Admin contact (a person called Tycho Luyben, more on him later) had previously removed phish pages for me in as little as six minutes.

My first mistake, as it turns out, was getting my hopes up.

Click to Enlarge

The above is the frontpage of 2222mb.com. At the bottom of the page, it mentions Terms of Service, but you can't click into it. There is no contact email address anywhere on site, and no mention of what to do when finding evidence of abuse on the network.

Uh-oh.

As it turns out, the only way to try and get someones attention was to register for the hosting service, then submit a ticket which......was completely ignored by whoever received it.

> http://dustyd34th.2222mb.com/myspace.php
> http://ribut.2222mb.com/myspace.php
> http://najn.2222mb.com/
> http://tjt1991.2222mb.com/myspace.php
> http://darktornadic.2222mb.com/myspace/myspace.php
> http://english-naats.2222mb.com/index.htm
> http://titan7.2222mb.com/myspace.php

....were all reported on the 21st of January, and a few days later, nobody had replied to my ticket. So much for the "24 / 7" support - I added to the ticket a few days later (with words to the effect of, "these pages still appear to be live"?) and that was ignored too.

Okay, change of plan. Let's go to the guy who must be providing these reseller accounts to these webhosts in the first place. A quick check of the whois data for 2222mb reveals....something weird, actually. The other hosting services that are presumably reseller accounts provided to individuals by "Tycho" have different addresses listed, as you would expect (110mb.com, for example, is owned by someone in Australia). With 2222mb.com though, Tychos own "Admin Contact" address is listed as the main contact address for this domain.

owner-contact: O-EZL21
owner-organization: E-lab BV
owner-street: Weverstede 27 b
owner-city: Nieuwegein
owner-zip: 3431 JS
owner-country: NL
owner-phone: +31 615065229
owner-email: tycho@e-lab.nl

Is the owner of this reseller account living with Tycho or something? Could it be Tycho himself? It seems unlikely, given that Tycho replied to my first email to him (sent on the Tenth of February) with the following:

"Dear,
I will tell my client to remove these asap.

Regards,
Tycho"

...."My Client"? Okay, so why is his own Admin address listed as the primary contact point for this domain when someone else apparently owns it?

Anyway, all of the above phish pages were deleted - but I had a second, final batch of pages that needed to be deleted too. As anything and everything sent to abuse@2222mb.com and postmaster@2222mb.com went unanswered, I thought I'd better send Tycho another email. He'd fix those too, right?

Wrong.

Three more emails, sent on the 11th, 13th and 15th of February went unanswered - as did the second round of tickets raised inside the 2222mb system:

Click to Enlarge

Two of the above phish pages have since gone offline, but it seems unlikely that I had anything to do with it, given that all the rest are still online and happily phishing away. I thought I'd check out the E-Lab site attached to Tychos email address - here's where things spiral into madness:

Click to Enlarge

Note the "www" at the start of the web address. So far, so good - nothing out of the ordinary. Just a page that talks about helping people "start out" online with regards technology based ventures and the like.

However - type in the address minus the "www" and look what happens:

Click to Enlarge

...you're redirected to a site called "Stoopidsh*t.com" that contains links to numerous "extreme / crazy" videos, and also a number of videos that require you to install Zango to play them (they're the ones with the red "play video" buttons).

Apart from the fact that it's a little odd for a site acting as some kind of provider for web services to redirect to something like that, can you guess who the site is registered to?

I have no idea what's going on with that whois data, but it looks a little strange, right? S4V 3C5 is merely a postcode - where is the rest of the address?

Actually, that's not the only website connected to Tycho that looks a little odd in a whois search. Take, for example, the whois for a site called "Riddleman.net":

....I'm sure you'll agree, that's a pretty strange looking contact address. At any rate, I think we're done poking around the weird and wonderful world of domain registrations. Time to contact Adbrite and let them know anyone going looking for either

a) 2222mb.com information via Google or

b) more information regarding Myspace phish pages on 2222mb.com via Google

are (more often than not) going to see Adbrite pages appear before anything else, usually listing some phishing pages in their own "most trafficked pages results:

Click to Enlarge

Now to me, having your own pages pop up when searching for someone else's phish pages is a form of negative association you could do without - both in terms of not wanting to be associated with such a thing, and also not wanting to be seen to be providing a way to generate money for webhosts that don't seem to be overly speedy with regards removing network abuse.

Surely, when notified about such antics you'd be quick to take action, right? At the very least, you might want to drop the person running your ads a note and suggest that a housecleaning might be in order, lest your account be canceled?

Well, that's what I thought too. However, the emails sent to Adbrite on both the 17th and the 22nd of February have (so far) not had a response from either pr@adbrite.com or support@adbrite.com (note that I only sent Adbrite details of 2222mb.com and the way that requests for phishing pages to be removed were seemingly ignored - they were not sent any additional information regarding other domains, which although interesting, were irrelevant to the point I wanted to raise with Adbrite).

I would hope that Adbrite will take a second look at this and take appropriate action if needed - 2222mb.com has already gained a form of notoriety on hacking / cracking forums as a good place to host phishing pages. Indeed, look at the results from this search...there are many hacking sites distributing tutorials recommending 2222mb.com for phish hosting.

Take those tutorials and combine them with the experiences I had simply trying to get a handful of phish pages taken offline and you have the makings of a problem that is going to grow and grow unless something is done about it.

The question is, is anybody listening and do they actually care?

[7:10:30 AM] Paperghost says: Hey, did you get a chance to look at that thing I found yesterday?

[7:10:39 AM] Peter Jayaraj says: Yep, it's an interesting collection of applications...let me explain
[7:13:50 AM] Peter Jayaraj says: The List Master - this is used to breakup the Emails...
[7:14:05 AM] Peter Jayaraj says: if you have 10,000 emails to crack.. you can split up 5K at a time..
[7:14:16 AM] Peter Jayaraj says: you can extract email Ids based on keyword.

[7:14:31 AM] Paperghost says: Nice. Fill me in on the other ones

[7:15:22 AM] Peter Jayaraj says: List Processor - this is used to clear blank lines in the file.

[7:16:45 AM] Peter Jayaraj says: Myspacefriendfinder is used to find friends on Myspace using keywords.

[7:18:07 AM] Peter Jayaraj says: "OnceIsEnough" is used to remove the duplicates.

[7:18:16 AM] Paperghost says: And at that point, you roll out Myspace Demon and go crack some Myspace accounts?

[7:18:32 AM] Peter Jayaraj says: Yep

[7:19:19 AM] Peter Jayaraj says: So all these apps can be used together effectively.

[7:19:35 AM] Paperghost says: Very effectively, from the looks of it...!

It's really not a great idea to fill up Phish pages with fake data, but I couldn't help laugh when I saw this missive at the bottom of one particular password drop:

Every now and again, I see something interesting pop up on Myspace and decide to take a closer look -as you might have guessed, this is one of those occasions. There I was, trawling through some Myspace groups when I happened to see this....

Check out the site from 2006 courtesy of Internet Archive - it's fair to say these guys could do with a few pointers on interior decor:

Click to Enlarge

...if someone asked a toy company to design a hacking site, that might be what they come up with. I guess they realised this too, because if you go there now...

Click to Enlarge

Ooh, scary! Shall we take a look around their "Hackyard"? As you might have guessed, there's not a lot here that would fall under the banner of "ethical hacking", despite their claims on the frontpage. Inside are a collection of (frankly awful) forums, news articles and some other bits and pieces that fail to attract any attention. However...

"MSN / Hotmail hacking page"? Nice. Click the link, and you're given a number of options to choose from:

Click to Enlarge

Hotmail, Yahoo, Myspace, Orkut, hi5 and Facebook are all listed. Select your chosen target, and you'll be presented with a custom-built drop down menu:

Select the "E-Card" of your choice, enter the Email address of your victim then hit generate - you'll be presented with auto-generated text for your email:

Click to Enlarge

At this point, cut and paste the text into your own mail, send it to your target and wait. Depending on the service you chose to "attack", the recipient might see something like the above, or something like this:

When they click the link, the target is redirected to another domain - of course, they'll be presented with something relevant to the service you're trying to "hack":

Click to Enlarge

Phish pages ahoy! They have a number of these all sitting on the same domain:

Click to Enlarge

Here's a fake Hotmail login:

Click to Enlarge

...and a fake Myspace:

Click to Enlarge

The good news is, the domain is flagged as a known Phish host when visiting in Internet Explorer:

Click to Enlarge

But wait, I hear you say. How do you get your hands on the phished user details? Well, here comes the clever part. The stolen login details are handily posted to the top of your login screen on Hothackerclub.com:

Click to Enlarge

Note that it tells you numerous pieces of information including number of accounts stolen, the date you did it and the type of service account compromised so the budding hacker can keep a nice running total of their exploits.

So, who runs these sites? Well, Hothackerclub.com is anonymous - however, it looks like someone slipped up with regards the registration for the site hosting the phish pages:

"Registrant:
Digital Studio
47-Tufail Road Cantt Lahore
Lahore, Other 54000
PK

Domain name: GREETING4LL.COM

Administrative Contact:
Sulahria, Muhammad Yousaf yousaf2k@gmail.com
47-Tufail Road Cantt Lahore
Lahore, Other 54000
PK
+92.3334112402 Fax: +92.3334112402"

Of course, "Muhammad Yousaf" is the individual who first posted to Myspace.

Be wary of anything Emailed to you that requires you to login to any of the sites mentioned above - if in doubt, right click the live link in the Email and check what domain it points to. Otherwise, you might end up on a hackers rapidly growing trophy list...

A few weeks ago, we covered Spammers running riot on Myspace pushing ringtones and dating profiles. Have you ever wondered how Spammers go about their daily business? If so, you're in luck because it seems likely that we've pieced together the tools (and domains) used for this very wave of fake profiles.

It all started with a domain I'd been looking at for a few days, which touted a "Myspace Directory" containing numerous text files named after various sections on the typical Myspace profile - "Gender", "Interests", "Heroes" and "Movies", to name but a few:

Click to Enlarge

Here's a Birthday file:

Here's a list of names:

Click to Enlarge

Here's the name for the spam profile itself:

And, more tellingly, here's an image file - the profile picture for the spam account:

Look familiar?

It doesn't take long to figure out that these different text files are values the Spammers use to populate their fake profiles. But how do they get that data into the fake profiles in the first place?

It all begins with a domain that (for some unknown reason) was left with the Spamming tools sitting on the frontpage of the site:

Thanks to a tip from my pal LoLo, I was able to grab the files and take a look inside. The domain hosting these files changes its content on a regular basis. Sometimes it serves you geotargetted adverts, other times it'll hand you an ad for a dating page (the picture of the girl with the laptop has been used on the majority of more recent spam that appears to come from the same group):

Click to Enlarge

And (thanks to the magic of Google cache) we can even see the domain hosting a fake Myspace page:

Click to Enlarge

The example above is overlaid with a redirect that takes you to more targeted adverts. For what it's worth, this particular kind of spam profile has been on Myspace since at least June 2007.

If we take a look inside the first zipfile, we see the following collection of files and folders:

Click to Enlarge

Exploring those folders a little deeper (and faced with numerous .cs files), renaming some of them to .txt files....

....allows you to take a peek inside:

Once again, we see references to the most common categories on a Myspace profile. As you're about to see, this is hardly a coincidence. From the second zipfile:

"Myspace program.exe"? Shall we take a look inside the program before we fire it up?

Click to Enlarge

Well, would you look at that. Not only is the domain with the "Myspace" folder referenced in the code, but (more importantly) all of the individual .txt files that relate to "Birthday", "Books", "Movies", "Interests", "Heroes"....they're all there. Shall we put it all together?

This is the tool that apparently makes it all happen. Note the entry box in the bottom right corner - from what we can gather, you enter the profile name you'd like for your Spam profile and hit Start - at which point, it checks out the information provided in the .txt files sitting on the domain, before attempting to contact another part of that website that allows it to create the spam profile on Myspace. At time of writing, the program doesn't seem to work due to a page missing on the domain hosting the spam profile information. Of course, they could bring the page back at any time, but for now, Myspace seems like it may be spared from more fake profiles selling ringtones, dating ads and free iPods.

For a couple of minutes, at least....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

If you happen to be a musician on Myspace, you'd have seen the following update from Tom yesterday:

"we have been working on a new feature that allows bands with over 10,000 friends to automatically approve friend requests to save you some time."

Myspace just made it a walk in the park for Spammers to plaster the most popular pages on Myspace with pill adverts, dubious redirects, porn spam....whatever they feel like. Previously you had to be a friend (added manually) to leave a comment on someone's page:

Not anymore!

Remember the Myspace band hacks from a while ago? These are still taking place, with what looks like a few new malicious domains thrown into the mix (thanks to JetKing for the tip):

Click to Enlarge

Note the ".cn" domain in the bottom left hand corner. This will of course redirect you to a fake media codec install:

Click to Enlarge

Considering band pages are a huge target for Myspace hackers at the moment, this new policy - effectively a green light to as much profile spam as you can handle - allows links to this kind of redirect to be pasted all over music profiles with no need for the page owner to approve anything first.

Has this move been brought about by people working on behalf of the most popular artists complaining about the amount of friend requests they have to manually approve? Possible, given the content of a Bulletin sent out by a band (and passed onto me by a contact who received it):

"Title : THERE IS A GOD!!!!!!!!!

Incase you're wondering why I posted this, dear **** band's fans, adding 250-300+ people EVERY SINGLE DAY FOR THE PAST 4 YEARS, hasn't been my idea of a good time. So MySpace has FINALLY listened to the bands moans, mine included! I sent them an email about this late last year and by god, they listened!"

However, the cost of an automated process like this is to give people with malicious intent permission to post whatever they want, whenever they want - simply by starting the ball rolling with a friend request to anyone with more then 10,000 people on their friends list. Of course, some profiles will have comments moderation enabled - but if the people using the auto-add feature are using it to save time in the first place, why would they bother to wade through hundreds of moderated comments too?

Myspace are having enough problems as it is, recently - why add to them needlessly?

Whenever I see someone post "Hey, check this out" on a Myspace profile I just know it's not going to be good for your general wellbeing. Sure enough...

....anybody wanting to "check this out" will probably be a bit annoyed once they've clicked the link (made to look like it leads you to a video). Why? Oh, I don't know....

Whoops. Shall we have a look at my all new login screen, courtesy of a mischievous IFRAME?

Click to Enlarge

If you're hit by this, don't panic - simply scroll down to the bottom of the page and click the word "International" in the bottom right-hand corner:

From there, it's just a case of setting the right geographical location for your homepage:

Everything should be back to normal once you've done this.

An MSN Worm appears to be in the wild which retains some of the functionality of a worm mentioned here, but with some additional features (such as sending spam, for example).

Initially, it sends the victim a message regarding Myspace (in our testing, this was the only message it sent, unlike the worm linked above which had numerous options to choose from):

Click to Enlarge

Before you know it, you'll be sending lots and lots of spam - I hope your friends are looking for high quality luxury watches:

Click to Enlarge

Finally, the payload drops a file onto the computer that attempts to execute remote code - it seems they're attempting to exploit victims with this.

Here's the (randomly named) file in question that causes this, deposited into your System32 Directory:

Click to Enlarge

We detect this as MN.Spooler.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

I know it's customary to simply rattle off a "top 10 list" of bullet points related to possible security predictions further along in the year, but I thought I'd rather go into a little more detail with this one. As such, my bullet points are few, but my concerns are many.

What does the year hold? Lots and lots of problems for Myspace, from the looks of it. Don't forget the other Social Networking sites (such as Facebook and Orkut) too. Of course, claiming there will be issues for these sites is perhaps to state the completely and utterly obvious, but we're barely a week into the new year and already we have:

* Fake "friend adds" from someone posing as "Myspace Tom" trying to sell you ringtones;

* Zango in the news regarding an application on Facebook apparently designed to push popup adverts;

* Sites that provide services for Myspace in the line of fire too.

However you look at it, Social Networking is currently where all the action is, and - in the same way that some of the biggest security stories of 2007 were web 2.0 escapades, expect a lot more of the same this year. Although Facebook and Orkut have experienced a surge in recent months with regard malicious (and supposedly "non malicious") attacks, Myspace will clearly remain the breeding ground for new techniques and attacks launched upon end-users.

Myspace shows no indication of locking down the functionality on end-users pages that makes it easy for bad guys to cause trouble, and while the ability to post videos, music and custom backgrounds to your page is appreciated, the problems and security issues these same "bonus features" create is not so welcome.

If there is a major security breach involving Myspace, will they even be able to react in time given the responses I was met with when trying to warn them of an issue recently?

Sadly, it seems like a distant prospect at this point.

Instant Messaging attacks fell under the radar a little bit with regards major breaking stories in 2007, but it's worth remembering that these hijacks are still out there in full force, even if we are all currently dazzled by the slow motion trainwreck that is the world of social networking.

Expect Skype Worms to become more and more commonplace - in fact, these attacks may drop under the radar more than any other, due to the constantly reused infection files by the bad guys. The first part of 2007 brought a flurry of news reports as we discovered a network jumping Skype Worm - however, the current attack of choice continues to be reworked Warezov variants, and this can only mean one thing - lack of coverage and a general sense of "looking for something more interesting" as we all grow tired of Warezov variant number 600,308 rumbling across the Skype network.

Of course, these attacks will still continue to be successful, whether we continue to read about them or not.

With that in mind, it's time to make a few small predictions for the older IM networks - well, one, actually. Expect more custom built infections for geographical areas you wouldn't have previously expected to be exploited. The Singworm (targeting MSN users in the Singapore region) springs to mind. As researchers grow tired of seeing the same old hijacks time after time and start to explore what's lurking in other regions, we'll start to read about new and interesting attacks from further afield. In some ways, that's already happened with regards the area of Adware - as the "old guard" of companies such as Zango, Direct Revenue and DollarRevenue either go out of business or reform, researchers have started to look at the "next generation" of Adware coming out of China.

Sadly, there will be more than enough for us to get to grips with. Indeed, we might start pining for the more straightforward threat landscape we knew and understood as we spend the year being battered by sales pitches in Chinese, EULAs in Korean and hacking forums written in Malay.

Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.

As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the less than amazing response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.

"Anyone got a contact for Myspace"?

Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.

Now, I had no clue what I was looking at but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:

"Domain Account Administrator, Myspace"

"CSR-Tools"

"Account: Retail"

"Billing Information".

These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.

Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.

I tried again this week, and this is what I sent them:

hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).

The screenshot appears to indicate your main CSR account
tools system was compromised in some way - can you confirm
what has happened here? I will be writing about this later
on today on my blog and would prefer to have the full
details as to the extent of what has (or has not!) happened here.

Thanks,
Chris

Can you guess what I got back?

Hello,

Below is a pretty comprehensive overview on blogs presented in an FAQ format. It should answer all the questions you have about blogs.

Q: What is a blog?

A: A 'blog' is an online journal. Blog is short for Weblog. In recent years, 'blogging' or posting an online journal has become very popular.

.....yes, thanks for the handy blogging tips(!)

I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):

Hello,

Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.

......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?

I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?

Little help, Myspace?

/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet.

I sent Myspace this:

"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"

Let me repost my message for a third time"

This is what I got back:

"Hello,

We do not offer that option as it is not available within MySpace."

....I think my brain hurts.

Looks like the Myspace spammers impersonating "Myspace Tom" have realised that calling their ringtone spamming profiles "Tom Anderson" is the quickest way to have their fake profiles deleted.

With that in mind, they decided to change the names given to the profiles.

Unfortunately for them, they kind of messed it up.....

.....nope.

As you might have guessed, these profiles that are suddenly springing up all over Myspace are 100% fake. It seems Myspace are aware of these, and are taking actions to have them deleted.

Hear some of my thoughts on the recent spate of Myspace hacks here (direct download), courtesy of SCMagazine.

There's a lot of new social networking sites out there nowadays, with new ones popping up all the time. Not so long ago, Zubby.com was launched with the following message from founder Randy Zlobec:

"Although it's obviously a great success, I think the problem with MySpace is the amount of advertising it has given itself over to," Zlobec states when asked why he started Zubby.com. "Many of my friends have a MySpace account and the one thing we all agree on is the frustration of logging on to find out you have 30 new messages from people you don't know, trying to sell you a magic pill or similar! Also, there are all the adverts that take up all your page space, not to mention the amount of times accounts have been hacked. With Zubby, we aim to change all that and more."

As I was one of the first people to register there, I've seen emails get fired out regarding what's going on in the network, and it seems that as time goes by, Zubby has to sadly face facts - eventually, all the problems that plagued someone else come and plague you, too.

Here's a mail from the 27th of November:

Click to Enlarge

....a simple warning about placement of adverts. And then, a few days later, another message entitled "First member banned from Zubby.com":

Click to Enlarge

...does this sound like a miniaturized version of Myspace yet? Then, on the Second of December, we have a mini spam invasion on the network:

Click to Enlarge

....it doesn't take long for the bad guys to start exploiting the system, does it? Eventually, it really is a case of too much, too soon and on the 11th of December, they haven't anticipated exactly how many people were going to register on the site:

Click to Enlarge

Whoops.

I'm already starting to sink in an Ocean of "30 messages from people I don't know", and friend invites from people called "Cash" and "UProfit" who have profiles like this:

Click to Enlarge

....with not a lot else on them but gigantic pictures of cheques and endless promises regarding how much money you're going to make.

It seems the sad reality is that for anyone running a social networking site, any and all attempts to avoid incidents such as the above are totally, and utterly, doomed to failure. Am I being too negative here? Or is that a fair assessment of these sites?

I couldn't imagine a crazier way to get yourself some attention from the hacking crew you want to join than taking out one of the biggest "phenomenons" on Myspace then following it up with the Hilary Duff music page, but there you go. The page content doesn't appear to have had anything malicious placed on it, but the individual behind the hacks couldn't resist sending out a few bulletins.

Here's a few versions of the hacked page:

Click to Enlarge

Note that Tila is extremely popular on Myspace, and has 241,4669 friends. In fact, she's one of the top three music profiles on all of Myspace:

Click to Enlarge

If the hacker had placed something malicious on the page......Houston, we'd have a problem.

Finally, the motivation behind the attack is revealed:

Click to Enlarge

Check out the text at the bottom of the screen:

"Well my names Tesla I like to hack I think Tilas a hottie and uh I wanna join team Kryogeniks!"

Sadly for Tesla, I don't think he'll be getting a membership card through the door anytime soon because if we jump over to the Kyrogeniks website (handily provided for us via the content of the bulletin sent out from the hacked Hilary Duff account):

....we find that Tesla might not be the flavour of the month on the Kryogeniks board:

Click to Enlarge

I'm sure he didn't include getting their forum canceled in his plan for Internet stardom, but oh well. Shall we take a look around and see what we can find? Let's start with a cached version of their forum:

Click to Enlarge

In all honesty, there's not a lot there - a few mentions of "phish pages needed" and the usual cracks / hacks. Let's keep looking - wait, do we have something on Digg.com? Sure looks that way:

"Seems to have been hacked"? I'd be more impressed, if the user who submitted the story didn't share his username with the site being given shout-outs in the bulletin. Sigh. Nothing like a little self publicity, I guess. Turning our attention back to Tesla, we can see he's a noob on their forum:

Click to Enlarge

...but other than that, not a lot is known about him at this point.

/ Addendum - We've just discovered that Justin Timberlake had his page compromised in the same way by Tesla.

I'll update this blog entry with more information as it comes in...

You probably saw some of the coverage of the recent hijacking of musician pages on Myspace. What you probably didn't see, was evidence of the end-users who were unfortunate enough to have their systems taken over as a result of the hacked band pages. Certainly, a few reports claimed that something like "40,000" people were infected as a result of viewing the Alicia Keys Myspace page at the time that it was hacked. The only problem is, nobody seemed to be able to produce one of these individuals. While I don't believe that many users became infected purely from the Alicia Keys page, it's obvious that there would be people out there with a story to tell.

Well a few days ago, one of the end-users who clicked the overlay on a hijacked page (which would redirect you to malware and fake codecs) got in touch, and agreed to let me use the following extract to serve as a warning to anyone clicking on a Myspace page. Obviously, names / personally identifiable information has been removed.....

"To Chris Boyd:

I believe I was a victim of the recent software attacks on MySpace. I have read that you first blogged about it, but haven't heard of any solutions as to what can be done to online visitors who have visited the site, and whose computers have been compromised. I had ********** Cable install high-speed internet, and got online the same day. I did get on the Alicia Keys website, along other websites, and the following day, my computer is showing me a red screen telling me that my "privacy is in danger." A pop-window appears from time to time. It says...WINDOWS SECURITY ALERT...Someone is trying to hack into your system....download such and such now, etc. Downloading more stuff is actually something that I don't want to do.

I have contacted the company, and all they told me was to go to a computer technician and clean my software. I should mention that I had McAfee and Norton Antivirus, but both expired in May 2007. I had dial-up before and never had this problem, even with the virus protection programs expired. I guess the only solution now is to get my computer cleaned up, and buy a software that will protect me from future problems. Hope Best Buy has the right stuff! Since it's high-speed, does that mean we're open to hackers? Do you know how online visitors can be compensated for the recent attacks on the website?"

Well, for what it's worth, you'd have had the same problem if you'd visited the page and been hijacked regardless of whether or not you were on Dial Up or high speed broadband. As to whether or not you're "open to hackers", it depends what was installed during the hijack. Though there were some reports of Rootkits flying around the press when this story was in the news, all we saw installed was the fake Codec (which is usually responsible for downloading and installing the rogue antispyware cleaner currently giving you all those "alerts"). However, the payload was known to change from time to time so without seeing the individual PC, it's hard to say. The good news is, most reputable security cleaning tools remove many, many variants of these fake Codecs, and also the rogue antispyware tools they push onto hijacked PCs. The method used to hijack the computers in this attack was much more interesting and up to date, than the actual malware being foisted onto the target PC which (when compared to some of the hijacks out there) were fairly middle-of-the-road and not a huge threat.

As for being "compensated", sadly I don't think you'll get very far. Your best bet is to keep your security tools updated, try running in Limited User Mode if you're just doing general web browsing and keep Windows patched as much as possible.

Meanwhile, hacked pages are still out there and still redirect to the hijack sites at the heart of this attack, so anybody visiting a music page on Myspace needs to ensure everything they click on is legitimate. On a related note, I'd love to hear from anyone else out there that's been hijacked by the above scam...

...and thats probably an understatement. Many of you are familiar with the BandJammer Trojan that has been making its way around the media. For those who have not been following the story: here you go.

If you are one of the unlucky fans of Jetking who accidentally clicked the hijacked link to the Trojan, then you are probably having one heck of a time trying to get your PC back to normal. The BandJammer Trojan originally links to a couple of Chinese sites in order to download a file called install_cn.exe. It then installs an older version of Smitfraud through command line.

The 1 file runs another file that installs a dated version of Smitfraud.

Users can easily note this version of Smitfraud from the following entires:

MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll
The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - C:\WINDOWS\sdrmod.dll

The files below are also added as ShellServiceObjectDelayLoad (these files automatically start with other services):
hupsrv - {33AEF198-6E36-4C80-9DB2-7EE99DB25122} - C:\WINDOWS\hupsrv.dll
bindmod - {3C82EBC1-C4BA-44EE-B21E-ACC91F46D2E8} - C:\WINDOWS\bindmod.dll

What is the purpose of this? Well why type when I can just show a screenshot.

This confused looking website shows us all the fabulous new Rogue Antispyware applications we are about to be bombarded with.

Here are just a few of the fake alerts users will see:

ConfidentSurf!

AdwareRemover2007!

Advancedcleaner!

Do not bother trying to close any of these. Blatant fake alerts take you to their site tor you to install/buy the application in most cases, or they will just create non-closeable ads and force you to install them.

These kinds of attacks are becoming more and more frequent. Take the article that Paperghost wrote involving Skype worm spammers for example. Rogue antispyware applications are everywhere now and they show no sign of trending down. Your best defense against these attacks is to simply mind your clicks.

The last few days, we've noticed a number of Myspace profiles hacked. Nothing unusual there, you might think - however, this approach is somewhat different.

Why?

Because the attackers only seem to be hacking the pages of various rock bands, overlaying them with a huge "background image" that covers a sizable chunk of the page then either tries to redirect you to fake Media Codec installs, or (as far as we can tell from the messages being posted on some Myspace Bulletins) Phishes your Myspace login details. Check this out:

Click to Enlarge

It's a page for a band called "A New Dawn" - notice at the bottom of the screen, there's a .cn URL - that's where all the action takes place. From there, the attack seems to rotate between exploits, fake Media Codec installs and apparent phish attempts. Shall we look at the code?

Note the "background image" is a URL. This isn't the only band to have been hit by this:

...and, if we look at some of the comments left on their pages, it's obvious that the attackers aren't too concerned who notices it:

Click to Enlarge Click to Enlarge

If you check out the steps made in a typical hijack, this is what happens on your PC:

If you check the source code for the final step of this particular journey, you'll see this:

..from this "movie site" comes - you've guessed it - a fake codec installer:

Click to Enlarge

Install this, and you're only a few moments away from "security toolbars":

Click to Enlarge

....desktop wallpaper hijacks, rogue security applications giving dire warnings of infection and who know what else. More alarmingly, there have been a few people on Myspace claiming that their accounts have been "phished" after clicking into one of these hacked pages - indeed, there are already a number of bulletins floating around regarding this issue:

Click to Enlarge

...so there we have it. Targeting nothing but Myspace band profiles is an interesting tactic - hack one of the more popular bands, and a steady stream of potential victims will be winging their way to your hijack of choice. As the overlay covers most of the page, it doesn't leave the end-user with much margin for error. For what it's worth, we detect this as BandJammer.

Rock and roll - it'll be the death of you....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Normally a piece of spam on Myspace all depends on it pretending to look like something other than what it is. Right? That's just common sense. So I can't tell if the rash of similar spam hits I've had in the last few days is the spammer being honest or just plain bored.

Click to Enlarge

It's worth remembering that it's not just social networking sites like Myspace that get all the hacker-style attention. Recently Friendster has had its fair share of wobbles, too.

From about July to August of this year, a virus was doing the rounds called "Saviour of the Seoul", which (at first glance) would likely seem to be a calling card for Korean hackers. Now, because I happened to do my University Dissertation on 20th Century Hong Kong Cinema - don't ask - I can add a little bit more to the thinking behind this, because I know that "Saviour of the Seoul" is a sly reference to a particularly crazy film from the early 90s resurgence of HK Cinema, called - obviously enough - "Saviour of the Soul" (minus the "e"). It makes no sense whatsoever, but it's very pretty. Anyway, for no good reason, our leet hax friends decided to name their virus after this film. If you had this appearing in your profile page code:

...then you'd have the words "Saviour of the Seoul" sitting in the bottom corner of your profile, quite often while the rest of the page remained blank. The only way to fix your profile at that point would be to scrub everything and start all over again.

There also seemed to be a slightly different version of this attack, where you'd have an image file placed on your profile instead:

...don't those Smileys look grumpy?

Anyway, over here, we have an apparent redirect to a .za domain. And finally, we have a rash of comments being posted to profiles that seems to say "hello", seemingly mixed in with some choice insults. To date, this final profile attack is still ongoing - we're looking into it, and will report back with any new findings...

Just had a tip off from a contact on Myspace - they were sending a Bulletin to their friends and as soon as they hit the "send" button, they were directed to a System Doctor "scare tactics" page:

Click to Enlarge

If you see this, ignore the nag screens and click out of the popup loop. It'll take a couple of goes, but you should escape eventually.

Yep, more fake profile Friend requests. These ones are a little more interesting than usual, though.

First of all, this thing popped into my Inbox:

It's pretty obvious that this profile screams out "fake", so off we go to take a look and....

Click to Enlarge

....we see a big banner claiming "Need cash fast use easy Paypal system" with a blog entry proclaiming "$400 to Paypal". If you click the banner, you're taken to a site called "Vid-Share.com":

Click to Enlarge

I'd love to be able to tell you what the software on this site does that will generate you so much money, but to find out you have to send ?19.99, apparently without any idea as to what you're going to purchase.

Interestingly, if you Google Vid-Share.com, the top result (sitting above a number of pages on Myspace that have had this banner posted to them) is rather strange:

Click to Enlarge

"Myspace Hacking / Welcome Welcome to myspacehacking we are the leading email account & myspace password recovery websites on the internet today."

....guess we'll go pay it a visit then.

Click to Enlarge

Apparently, you can pay between $60 to $75 dollars to recover a lost password for a variety of Email systems, and the site also offers a number of downloads of the Password crack / recovery variety. Some are free, but the one listed in orange needs to be paid for - no idea what it does though:

Click to Enlarge

If you click around on the front page for a while, you'll see this message appear at the top of the screen (viewable in the main shot of the site above):

"<%'YOUR NOT SUPPOSED TO BE LOOKING THROUGH THIS INFORMATION IT WILL GET YOU NOWHERE!!%>"

I'm guessing this was only supposed to be viewable if you were rummaging round their HTML source, but oh well. Some more exploring on Myspace follows, and it seems a wave of spam profiles have been set up with the express intention of pimping the Vid-share URL:

Click to Enlarge

This one is extremely interesting, as (aside from the Vid-Share spam) it also has this in one of the blog entries:

Click to Enlarge

Click to Enlarge

"Do you need a Myspace password

Get your passwords here Myspacerecovery.com"

Sadly, there doesn't seem to be any cached version of the (currently down) site, so there's no way to check it out and compare it against the sites already mentioned. However, we DO seem to have an overabundance of spam profiles:

Click to Enlarge

....aren't we the lucky ones?

If you happened to open up certain profiles on Myspace these past few days, you'd have the misfortune of seeing the following appear in the middle of your screen:

Click to Enlarge

That's a vaguely scary thing to have appear on a Myspace profile, because you just know it's going to be pressed a ridiculous amount of times. Upon downloading the file, if the user runs it, when using Internet Explorer they'll see some of the below sights:

Click to Enlarge Click to Enlarge

Of course, no hijack like this would be complete without some fake Taskbar warnings, right?

If you click on either the popups or the hijacked IE banner you're taken to a site called Antispysolutions.com:

Click to Enlarge

Time for a quick detour. Here's some coverage of one of the programs, Spy Away, from March of this year. Have a look at the fake "detection" in the detections box - note that it simply says "Sistray.exe". Apparently the application and / or site vanished for a while. Well, fast forward to the present day and if you download and run the executable, you'll see a very interesting difference:

Click to Enlarge

...the application claims to "detect" 180 Solutions (Zango), along with a few other items. This is done by downloading some "dummy" files that the scanner then magically finds. The files themselves don't do anything as far as we can tell apart from sit there and feed the results of the scanner - of course, they aren't legitimate Zango executables. Here's a screenshot of some of the files deposited onto the PC:

Click to Enlarge

Myspace users would do well to give these so-called security applications a miss. This particular install works best on Windows 2000 - if the user is on XP, there's a good chance nothing will happen. Thanks to LoLo for the tipoff.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

"These Web sites are just bottomless pits of useful information" for phishers, identity thieves and others, said Chris Boyd, security research manager at FaceTime Communications, an Internet security firm. Raiding them, he said, is the equivalent of "Dumpster diving." Link

A good article regarding the perils of Myspace - some interesting facts and figures, along with this (vaguely worrying) quote:

"MySpace now is trying to hire attorneys and additional security experts to make improvements, Nigam said."

...considering the scope of Myspace, shouldn't this sort of setup already be in place?

A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which seems to be directing end-users to a collection of Zango movies on a pornographic website. The Phish pages are hosted on compromised servers - presumably the people doing the hacking aren't particuarly brilliant at it, because they keep getting found out (an example of them being caught in the act can be seen here).

How does this attack work?

It's been an interesting few weeks for Myspace - there's been a number of scams and dubious programs making their way across countless user profiles. The "fun" clearly isn't over yet, because check out the latest piece of scammery doing the rounds on everybody's favourite social networking site...

It's not often you find an affiliate of WhenU doing something that could be viewed as out-and-out deceptive, so this is a very interesting find indeed. Especially considering they do not have affiliates, at least affiliates in the "traditional sense" according to our Sr. Director of Greynets Research- Wayne Porter, who specializes in online economic models. His answer upon a quick analysis of the initial research:

It is a given WhenU has made a number of improvements from their past practices, and that is critical for setting an example. However, we take history into account and also look at what we see today. You will note they proclaim quite clearly, "No affiliate distribution, because it's impossible to police." This is wise. WhenU understands unchecked partner models leads to dangerous relationship sprawl and in the end you tar and feather your own brand and hurt people.

What is strange is the next bullet point "All distribution partners are monitored and must adhere to our strict guidelines; zero tolerance for infractions. (Porter notes this link here.) I would have to ask, from a commerce perspective- how do they monitor them, how do they vet them, what metrics are used to determine inappropriate and appropriate behavior and what is the difference between affiliate and partner? This case seems to be confusing to the end user- is this acceptable? Is this the experience they demand of their partners?

In this case the distribution partner does not appear to be an affilate per the classic definition. I think it is a good question and would welcome dialogue from Bill Day on how they differentiate between an affiliate and a distribution partner. Clearly the program is being distributed via third parties and one would reasonably assume on cost-per-action or a split revenue basis, or a hybrid deal- that part remains unclear- but the revenue model drives behavior- we know that from field research. If Bill Day is willing to participate I am willing to prepare some questions for him if he would like to go on record about the policies and the reality of how they are put into action. The usual rules of engagement for dialogue of course."

Back to the case at hand...

During research my colleague Peter was probing for Myspace themed files in P2P land, and while using Bearshare, he came across a file called "Myspace". A movie file, no less. Would be it contain Emo kids singing in a garage? Thirty-somethings complaining because none of their friends use Myspace to network?

Nope. In fact, the answer is a little stranger than that. First of all, check out the nice popup you see when firing up the movie for the first time:

Click to Enlarge

...wait, DRM*? Isn't that what we kept hearing about during the Zango / Myspace fiasco? Could this mean some type of "software" is on the way? It sure could...

Click to Enlarge

At this point, I'm sure of two things:

1) The Adware involved in this case is WhenU
2) I have absolutely no idea what "ETE" is, nor why I would want it.

Still, the file is called "Myspace" and we all know Myspace is cool, right? So a Myspace moviefile is going to be even cooler. Isn't it?

Well, no.

This is where things get really confusing for the end-user, because so far they have:

* Gone onto a file sharing network and downloaded a movie file called "Myspace"
* Been presented with a DRM popup relating to WhenU Adware, and told this is needed to install "ETE" despite not being informed of what ETE actually is. Note the popup mentions the install is from a website, when it's clearly from P2P.

At this point, pressing the Continue button will prompt the end-user to download an executable file:

Click to Enlarge

Eventually (after a period of complete inactivity on the desktop), you see this:

Click to Enlarge

...and we finally discover what ETE is - some kind of free entertainment center. Great, except it doesn't even appear to be on the system. Maybe it's one of those new invisible models I've heard so much about? Perhaps they have Romulan cloaking technology or something.

Anyway - after giving up looking for the mystical "ETE", the confused end-user will run the moviefile. They're presented with....the adultfriendfinder website and, er, some dancing bacon. Seriously:

Click to Enlarge

Why? No idea. Anyone see what this has to do with Myspace yet?

Our motto at the FaceTime lab is to try not to leave any stone unturned, so I wasn't prepared to let this mystery go. After some digging, it turns out that ETE is not a standalone application - it's actually a website:

Click to Enlarge

This site lets you download applications from another site, called Binartisan.com. According to a Whois lookup, both sites are registered to someone in Taiwan. The download section of the Binartisan site contains many, many installers for games, screensavers and other programs:

Most of these are WhenU installers - it doesn't take a great leap of the imagination to realise that the affiliate, or partner (depending on nomenclature) here is likely the same person distributing these files in P2P land under the name "Myspace". Of course, naming them after the number one Social Networking site on the web (when the files themselves have absolutely nothing to do with Myspace) is altogether more problematic. Some might even call it deceptive.

I think I'll suggest Wayne add that to his question list.

*Notes on DRM: Any technology used to protect the interests of owners of content and services (such as copyright owners). Typically, authorized recipients or users must acquire a license in order to consume the protected material?files, music, movies?according to the rights or business rules set by the content owner.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Peter Jayaraj, FSL Threat Researcher
E-commerce Policy Research Evaluation: Wayne Porter, Senior Director Greynets Research.

Zango haven't been out of the news recently - we've seen Myspace, Warner Brothers and the CDT (Center for Democracy and Technology) all added to the mix and the end-result is probably as fatiguing for the reader as it is for the people writing about it!

However, yet another tale has come to light, and it's not a particularly pleasant one. A pornographic website promoting videos provided by Zango (a pornographic website which, it should be noted, appears in many PC hijacks as you can see here) seems to be attracting visitors by means of a dubious keywords scam.

What's happened is that numerous websites have been set up, stuffed with keywords of an incredibly disgusting nature, that redirect you to the Zango content. A list of keywords has been collected in PDF format by Sunbelt Software. Be warned - it is not pleasant.

You can see thoughts on this from Suzi Turner, Sunbelt and myself.

I'm sure more will be adding their thoughts on this in due course...

The question on everybody's lips right now (well probably not, as it happened over the weekend but still..) is:

How much impact did this have on Zango pulling out of their Warner Brothers deal?

Digg.com is a well known source of breaking news stories, and often those stories spring into life well before many journalists are aware that the tale has come, gone and been again due to its rapid spread and rather large reach. A story was recently submitted to Digg with a rather spectacular title:

"Warner Bros website distributing Zango Spyware + Kiddy porn browser".

As someone who follows Zango extremely closely, I nearly fell off the chair when I saw this hit the frontpage of Digg. Could something have gone so amazingly wrong with Zango's distribution chain that someone had gamed the system (once again) and started serving up illegal pornography from the Warner Brothers site courtesy of Zango?

The answer is no. The story submitted to Digg takes the user to a Blog entry dated Thursday, 11th May 2006. Contained within are a number of factual errors, where various Zango related stories have meshed into one, messy whole - however, when the story was re-submitted to Digg last weekend (after being submitted for the first time a few months back and getting nowhere), the submitter added the rather inflammatory title into the mix and people went crazy voting for the thing. End result, a factually incorrect story slamming onto the frontpage of Digg and causing major, major ripples in the Adware space into the bargain.

We think.

Because in all honesty, there's no real way to tell exactly how much impact this submission had on Zango pulling out of the Warner Brothers deal. The first inkling that something was afoot was an article that hit the Washington Post, courtesy of Brian Krebs. This appeared the day after the Digg article went boom, and inside sources tell me that something was definitely going on in that timespan. The question...is what. In reality, we have no way of knowing who reads Digg, but as someone who has been Dugg a lot of times, I have a good feel for the way it works with regards to the way a story leaks into the media. I've had at least one story "break" from Digg - as an example...

BitTorrent Installed without Permission, Downloads Movie Files

The above story was part of a larger investigation. We didn't put out a press release about it, but we did fire it up as a Blog Article and let it loose. Now, that story was picked up by mainstream press and exploded - a clear indicator of the power of Digg. So, it is not impossible that such a massively dugg story such as the Zango / Warner Bros story could end up hitting in the right places. Especially as many, many people who voted for the piece also submitted their feelings about this to Warner Brothers directly.

At this point, I imagine they saw the title involving illegal pornography, maybe did a little Googling about Zango and got just as confused as some of the facts involved here. It doesn't help that findings about Zango and Myspace hit at roughly the same time as this story (well, the whole of July, actually) - in fact, I had a Digg going on at the same time as the Warner Bros story. In fact, someone suggested people Digg my story from the Warner Bros Digg too - leading to the strange site of two Zango related stories hitting first and second place in the Digg Security Section:

Click to enlarge

In fact, I actually saw a few pieces covering the story that mixed up the details from both the Zango on Myspace story and the Zango / Warner Bros article. As the Zango / WB story on Digg is now flagged as "inaccurate", many of you have asked me to straighten things out with regards the facts surrounding this whole mess - which is mainly the reason I've written this up in the first place. Though I'm no expert on the Zango / Warner Bros situation, I do know my stuff where the "illegal content" comes into play in all of this. With that in mind, here's my attempt to ease your mind...

1) "Warner Bros website distributing Zango Spyware + Kiddy porn browser"

This is entirely incorrect. The Warner Bros website was distributing Zango Adware (not "spyware"), and at no point in time did it distribute a "kiddy porn browser". The writer has confused a number of pieces of information - in this case, the "kiddy porn browser" is something called Yapbrowser.

Yapbrowser was a web-browser that (for a short period of time) was distributed with Zango Adware. When you used the browser, it redirected you to a 404 error page that contained hardcore child pornography. The Zango Adware itself did not have any connection with the child pornography, other than their software was bundled with the web browser. Once the revelation of the browser's "hidden feature" was brought to light, Zango removed themselves from distribution with Yapbrowser. Zango's main failing here is that they clearly did not test the Yapbrowser application enough, because they would have realised one click of the browser's "go" button was enough to send you to the illegal content. This doesn't say a great deal about the policing of their affiliates, but they were not responsible for serving up the offending content in any way.

Simply because Zango Adware was launched from the Warner Bros site does not mean visitors were at risk from anything "illegal" appearing on their desktop.

2) "They are also the people behind this alleged child porn browser. They are also the people who still silently install their software on your pcs".

This is taken from the Blog entry that caused all the commotion. Again, this is incorrect. Zango were not responsible for the browser - indeed, the article the Do Not Reply blog links to actually states as much:

"So who is this "Enigma Global Inc" that the YapBrowser installer claims is responsible for the program?"

These are the two main points that people asked me to address, because after seeing the Digg story and knowing that their kids visit the Warner Bros website, they were suddenly panicking like nothing else at the thought they might have illegal pornography on their desktops.

I'm all for taking a company apart in public when needed - but in my opinion, this was entirely the wrong way to go about it. It freaked out too many people through no real reason other than inaccuracy, and I know one person actually scrubbed their hard drive because they thought the police were going to "kick the door in" or something. However you angle it, that's not a particularly pleasant situation for people to be in. The original Yapbrowser story was bad enough - in fact, it's probably the nastiest investigation I've ever been a part of - but dragging it up from the depths to cause needless panic was rather unnecessary. "The end justifying the means" is always a tough one to call, but in this case, it's way too close to the line for my liking.

Would I feel different if I hadn't been involved in the Yapbrowser shambles?

Probably.

All I can say on this occasion is - this is one of the few times a story about Zango did not get a vote from me. Still, who knows what the future holds...!

Yesterday I wrote about fake Myspace profiles leading to pornographic webcam sites - today, we're looking at a variation on the theme. However, the end result this time is not naked ladies, but gambling software. The profile uses the same bait as the webcam profiles - attractive female, long "about me" section designed to convince the person in the profile is indeed "real":

Click to enlarge

There's also one final lure that the webcam profiles did not have:

"The first night I used a poker bot I won $3,000".

The irony here is that an online gambling website is being pushed by a profile promoting illegal bots - exactly the kind of program that the gambling site would not want being used on their system. Talk about conflict of interest! Of course, if you click the link to "Red Casino", you won't see any Bots - just a website asking you to install the gambling software:

Click to enlarge

From there, gambling fun is just a step away...

Click to enlarge

It goes without saying, but never download any programs you happen to find floating around Myspace - especially when it sounds too good to be true. In this case, you're "only" downloading a piece of online gambling software - but there are far greater risks out there in Myspace land as we've already seen...!

Myspace has had a mighty beating lately due to people exploiting the network for their own ends - we've had Adware, Flash hacks, infections via banner adverts and now here's the next problem marching across Tom's lawn with big, muddy boots and trampling all the flowers. It's time to take a look at the seedier side of what goes on in Myspace - you've probably heard about "Myspace Bots", but not seen one in action. Well, today's your lucky day.

There are currently lots of near-identical profiles being created on Myspace at the moment, for some reason all called "Monica". No idea why, I guess they just like the name - at least they're not going to forget who's who. This is of some benefit to us, however, because it makes it easier to steer clear of fake-profile related trouble. It goes without saying to double check any Myspace users you encounter called "Monica" for the time being, especially if the text on the "about me" section of these profiles is all about being "different" and "individual" - and adding them to your MSN Messenger. Here's a screenshot of one of these profiles (note that the picture will change with each profile, but the "about me" text will remain (mostly) the same:

Click to enlarge

Once added, talking to "Monica" will result in a bunch of Bot-style replies that all try to get you to pay for access to hardcore pornography webcams. The interesting part was trying to work out how much was automated, and how much was human-controlled. The first chat I had veered away from the "4 random replies and set to Away status" that all the subsequent sessions with Monica had - after all, when you're telling someone to "do a barrell roll" and asking them if they "like potatoes", yet all you get for your troubles is "check out my webcam!" it's the signal for a (not very advanced) Bot. It's entirely possible that the first chat was human controlled, but they had to stick to a script and not deviate too much. Ultimately it's all about the money, not random chat with some guy they're trying to extract payment from. Worth noting that if someone was talking to me the first time, they were quite happy to encourage me to join up, even though I mentioned I was twelve years old!

Click to enlarge

You can see the results of some of these chats here - always good to see just how intelligent these things are (whether human or Bot!) As you'll see, the first chat definitely suggests some form of personality behind the screen - however, the rest are all 100% guaranteed conversations with automated scripts. Doh!

I can only imagine the money being brought in by a scam like this - fake profiles on Myspace have been around for some time, but a quick check of the message boards and forums suggest that this particular issue is taking off in a fairly major (and concentrated) way. It's the easiest thing in the World to create a bunch of fake profiles on Myspace, though to be fair, at time of writing Myspace have deleted a whole bunch of these accounts so proactive steps are being taken.

It's just a shame that they seemed to have missed one in the process! As I mentioned in this BBC article on the problems facing Myspace at the moment:

"Any site has an increased risk of attack where a lot of customisation is possible," said Mr Boyd. "This level of customisation is what both attracts people to use the service, and what causes the most security issues."

The problem faced by Myspace is that if you start locking down all the things the users like about the service in the first place, they'll simply move elsewhere - quite the dilemma! However, somehow they need to educate their users to see that, sometimes, restrictions can be a good thing. The good news is, there are plenty of tech support and Spyware help groups on Myspace and they're doing an extremely good job of educating the everyday users there. We need to see much, much more of this kind of activity if Myspace is to begin clawing back the security of both its own service and that of its userbase.

Of course, if any of you Myspace users ever see anything you think is dubious going on - be it Adware, fake profiles or anything else - feel free to drop us a line here. We'll happily go check it out and see if we can get something done about it.

Stay tuned to Spywareguide, because we'll be looking at more common (and not so common!) scams and other such shenanigans going on in Myspace land - tomorrow, we'll be looking at a nice (!) example of Gambling software being pushed with (clearly fake) user profiles.

Looks like someone's number is up...

There's been plenty of issues for Zango to consider these past few weeks - in particular, their unexpected appearance on Myspace is a good example. Well, we have a rather intersting case here - a website enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along!

Click to Enlarge

As you can see, the site above is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words "live now" next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt:

Click to Enlarge

The name of the executable continues the baiting strategy - "open for instant access". At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. You can see the icon on the desktop and a EULA (feel free to try our Beta EULA Analyzer) presented below:

Click to Enlarge

However, when you install it, IE opens automatically and you see this:

Click to Enlarge

...a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the "videos" mentioned on the frontpage - in fact, they don't seem to exist. And as far as "watching the videos on the frontpage" goes, installing Smart Browser serves no purpose whatsoever. Research from our database reflects:

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

- "YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND"

- "YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON'T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS."

What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a "substitute" at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a "bonus". Even if the end-user doesn't choose to download any Zango videos, they'll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

As I am (increasingly) fond of saying - if it looks to good to be true....it probably is.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher
EULA Analysis: Wayne Porter, Senior Director of Greynets Research

You can read the full article here - a good summary of some of the problems faced by Social Networking sites as hackers and confidence tricksters move in on previously unsoiled ground. From the article:

Chris Boyd, director of Malware research at Facetime Security Labs, said sites such as MySpace and Orkut often felt like "gated communities" and made people feel more secure than they should.

"They might click something that outside of that community they would usually think twice about," he added.

It's good to note that sites such as Orkut and Myspace are reacting quickly to these issues - the question is, can they keep up with the bad guys?

Check out this illuminating post by Brian Krebs on how anything up to a million Myspace users were exposed to Spyware. Myspace is having a pretty rough time of it lately, with Zango Adware, Flash-based redirects and XSS (cross site scripting) attacks running riot. I don't think anyone could have predicted this current explosion of attacks on Myspace, but this probably won't be the last time you see Myspace mentioned here. The hackers have picked up the scent of blood in the air...

Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

Examples he covered in the article. Ad Injection in bold.

Spyware-Delivered Pop-Up Ads
Direct Revenue
Targetsaver - covering AOL
Targetsaver - covering a sexually-explicit site
SearchingBooth

Banner Injection Into Others' Properties
Fullcontext - ad injected into Google.com
Searchingbooth - ad injected into True.com
Searchingbooth - ad injected into eBay
DollarRevenue - replacing an ad within Boston.com

Spyware Delivered Banner Farms
Hula's Global-Store
ExitExchange

Spyware Lead Acquisition
Direct Revenue - Vendare's Myphonebillsavings
Direct Revenue - NextClick's Phonebillsolution

It is worthy to note that in the first three examples: Google, eBay, and True.com ads are injected above a site.
However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

But what does this mean for people- netizens?

I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.

Click To Enlarge In New Window

While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

What topic did you click? Straight forward. If you can remember. Why not log the topic?

Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

If you use Myspace, you need to be extremely careful at the moment.

First we had Zango Adware being pushed from profiles encouraging other users to spread the same content.

Then, we had a "Myspace Toolbar".

Now, there is talk of an exploit that relies on redirects via Flash, meaning the hacker has complete control over your profile. You can see the ripples being made here on Digg - should be interesting to see if Myspace put out some kind of "official response" to this one as it's really caught fire. Of course, there have been exploits floating round Myspace for a long time...but as always, don't let familiarity breed contempt - here's a nasty example of what can go wrong for the non-cautious individual!

IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Back to the entry and analysis from Paperghost....

The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

From Wikipedia:

(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:

Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

Click to Enlarge

...and this:

Click to Enlarge

During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

Now that's pretty freaky.

Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

Click to Enlarge

Yay, I'm file-sharing pirated content!

As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

Click here to download movie (2.90 MB)

00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

Click image to Enlarge

Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

Click to Enlarge

Click to Enlarge

ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

From CNET:

Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Ever wondered if music should be assigned an "annoyance level" in the Spywareguide.com database? Probably not, but after seeing this latest hijack you might think twice. Throw in a browser which installs itself without your permission and you have one of the craziest hijacks I've seen this year:say hello to yhoo32.explr, courtesy of FaceTime Security Labs.

Sitting comfortably?

Then let's begin...

Want to see an example of the PM floating around Myspace as blogged by Brian Krebs that eventually leads to a Zango install? Because we've been looking at these bad boys for the last few days too. Good old multi-blog action - nothing finer!

Here you go:

Click image to enlarge