Results tagged “Social Networking” from SpywareGuide Greynets Blog

Hacking: Now A Porn Marketing Tool

By
Christopher Boyd
on October 27, 2009 9:23 AM |
Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:

hackedfbaccts1.jpg

The site the image links to is called...well, see for yourself.

Wait...what?, originally uploaded by Paperghost.

Yes, the site is actually called "Hackedsluts.com" and claims to offer up an endless series of images from "hacked" accounts including Myspace, Photobucket and Facebook in return for a monthly fee. Or, as they like to put it:

All your Facebook are belong to us!, originally uploaded by Paperghost.

As porn site marketing campaigns go this one is certainly, uh, different.

"Every day we prowl Facebook, Photobucket, Myspace and a ton of others....then we let our team of hackers do their thing"...

Account hacked!, originally uploaded by Paperghost.

Just to force the message home, hovering over any image will pop up some text on top of the picture:

hackedfbaccts5.jpg

Just when you think they can't possibly get any creepier or salacious, the final image at the bottom of the first set actually looks like this:


Extreme, originally uploaded by Paperghost

...yep, we'll throw in dubious claims of hacked accounts / stolen images AND we'll lob in a blood splattered "Too extreme" banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Are the images actually stolen? It's doubtful; in all probability the bulk of the content (if not all of it) is made up of stock pornographic content. But simply claiming they've been plundering images from supposedly hacked accounts on Facebook, Myspace and all the rest of them for financial gain blows my mind, is an amazingly dubious piece of non-ethical marketing and is surely a fast track to a day in court.

You would hope...

Tags:

Vkontakte Targeted By SMS Scammers

By
Christopher Boyd
on October 26, 2009 10:00 AM |
(Huge thanks to Baz of Malwarecrawler.com, who provided the Vkontakte.ru screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:

Vkontakte Fake Exploit Message, originally uploaded by Paperghost.

It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:


Vkontakte Scam Blog, originally uploaded by Paperghost.


Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile

This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like: http://vkontakte.ru/id******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>

Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.

Vkontakte Graffiti Spam, originally uploaded by Paperghost.

"ahahahaha!!! s*it!! I got access to your profile via vkon-fire.msk.ru"

Pretty smart.

What do the files do?


Vkontakte Scam Infection Files, originally uploaded by Paperghost.

Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile (...you know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:


Vkontakte Scam Hosts file hijack, originally uploaded by Paperghost.

Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:

Vkontakte SMS Message, originally uploaded by Paperghost.

Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:

Vkontakte SMS Lockout File, originally uploaded by Paperghost.

"Activate"? Whatever does it activate, I hear you cry? Well...

Vkontakte Scam Windows SMS Hijack, originally uploaded by Paperghost.

...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.

Tags:

Facebook Freezers

By
Christopher Boyd
on March 5, 2009 8:38 PM |
Today we came across an extremely slick tool designed purely to annoy and confound users of popular Social Networking sites such as Facebook. While it also allows the attacker to target other sites and services such as Youtube and Windows Live, it seems to cause the most problems on Facebook.

What is it?

A malicious program designed to repeatedly lock you out of your various accounts. In time honoured tradition, here it is on the desktop:

ffreeze1.jpg

Ignoring the fact that it resembles a cartoonish piece of meat on a bone, let's fire it up:

ffreeze2.jpg
Click to Enlarge

As you can see, the Facebook logo sits in the middle, just above the "Freeze" button. Above the EMail field, you can see a dropdown box where the attacker selects their service of choice:

ffreeze3.jpg

This particular version "only" has Facebook, Windows Live and YouTube but there are other versions out there which do much the same thing but target other Social Networking sites.

Once you've picked your poison (so to speak), you simply enter the EMail address or Username into the space provided and hit the "Freeze" button. But wait! For those who woke up in a particularly malicious mood, the program allows you to watch the demolition of your targets account in a sort of "realtime" mode, with the aid of an extremely slick built-in browser window. Simply hit the "Let me watch" button, and the browser extends out on the right hand side of the application:

ffreeze5.jpg
Click to Enlarge

Hit "Freeze", and as a meter at the bottom gives you a % score with regards freezing completion, the view in the browser window alternates between the bottom two images - the first, the Facebook login screen:

ffreeze6.jpg
Click to Enlarge

...and the second, the page telling your your login combination is incorrect:

ffreeze7.jpg
Click to Enlarge

Once you hit 100%, this is what you see inside the applications browser window:

ffreeze8.jpg
Click to Enlarge

"You have exceeded the number of invalid login attempts that we allow for your account. If you have forgotten your password, reset your password here".

Whoops.

Now, I know what you're thinking. This is easily fixable, you just hit the "reset password" link and you're back in business. However - if your attacker decides to keep attacking you over a short period of time while you keep on resetting your password, eventually your mailbox will look like this...

ffreeze9.jpg

...and not only will you be utterly sick to death of resetting your password, you'll be even more fed up when you get locked out one too many times and see this:

ffreeze10.jpg

Yes, eventually you're even prevented from sending a password reset. Bizarrely, you're still given an option to hit a "reset password" button, even though it won't actually work for you anymore.

All you can do now is brave the wilds of the "Contact Us" page, and generally speaking, most people give up in despair and a flailing of arms when presented with such pages. If I'd been the victim of this kind of time wasting "fun", I'd probably be more inclined to simply start again from scratch.

I tried a little earlier on to see if I was now able to resend a password reset to the account used in the above screenshots...I was presented with an "Unconfirmed Account" message:

ffreeze12.jpg

I can only assume they do this as an antispam precaution when your account is frozen out in this way. I'd be ready to give up and go home by this point.

In case you were wondering, it does much the same thing with YouTube:

ffreeze11.jpg
Click to Enlarge

However, doing this to a YouTube account doesn't quite cause as much aggravation as it does where Facebook is concerned - at no point during testing did YouTube lockdown the account the same way Facebook did, although I can't assume there isn't an "upper limit" at which point YouTube also brings down the final curtain.

All in all, something a lot of rage fueled kids will likely be deploying over the coming months.

While it's a little tricky to prevent people from knowing your username on YouTube - because you want people to know who you are on there, right? - it seems a sensible precaution to be as secretive as possible where the EMail account used with Facebook is concerned...

Writeup: Chris Boyd, Director of Research
Additional Research: Chris Mannon, Senior Threat Researcher

Tags:

Facebook "Error Check System" Causes Problems Over Weekend

By
Christopher Boyd
on February 23, 2009 10:10 AM |
There's been quite a bit of action on Facebook the last couple of days, and none of it good from the looks of things:

err1.jpg
err2.jpg
err3.jpg

As you can see, there's been an application doing the rounds called "Error Check System" causing problems for lots of people.

A quick observation before going on - the name sounds an awful lot like those given to rogue security programs, isn't it? When I heard about this, I was convinced it'd pop open a rogue antispware cleaner once installed as an application. Anyway...on your notification panel, you'd see this:

err4.jpg

A message that one of your friends "faced some errors" checking your profile. If you clicked "View the Errors", you'd be taken to an application installer page.

err5.jpg

Once this was done, it would bombard your friends with invites to use the application.

Over....and over......and over again.

It seems Facebook has since killed the application off - it no longer exists (for the moment!) to install on your profile. Interestingly, the creators kept putting it back online under different Facebook application URLs until Facebook killed it off completely.

Besides incredibly annoying spam and some other potentially dubious (mis)uses of technology (many people report the app not showing up on the page where you'd remove applications, and others claim it installed without them hitting "Activate") it doesn't appear to have done anything too malicious.

However, Josh Lim covered this on his blog and I can't help but notice.....again.....well, check out this portion of his screenshot:


err0.jpg
Click to Enlarge

Ignoring the "Fake!" he pasted over the logo, how similar to rogue antispyware tool stock graphics is that? I'm pretty sure I've seen that exact graphic used on a rogue tool / advert before, but of course there's so many of them around it would take a little while to confirm. If anybody wants to play "match the graphic to the rogue" in the meantime, be my guest!

Even more curious, someone (as if by magic) has manipulated search results so that anyone searching for "Error Check System" in Google will see this as the top entry:

err00.jpg

Click it, and you're taken to an extremely aggressive set of rogue antivirus download pages.

errrr.jpg
Click to Enlarge

So even though the "threat" of Error Check System on Facebook has fallen by the wayside (until they come back, of course), you'll need to be careful if you go looking for more information on this particular incident over the coming weeks...

Tags:

Playfire Controversy

By
Christopher Boyd
on February 11, 2009 6:33 PM |
This is pretty bizarre. Here, we have a social networking site asking for pretty much every type of login you can imagine and getting a fair amount of criticism for it in the process. The way they go about it is somewhat peculiar, and though I don't think it was malicious on their part, it illustrates how what somebody thinks is a good idea can go horribly wrong very quickly.

The site in question is Playfire.com, a social networking site for people interested in videogames.

What were they doing? Well,it seemed messages were being sent to people on your XBox Live friends list, "reserving" a page for that username then presenting that individual with the below page:

pfire4.jpg
Click to Enlarge

Note that it asks for your XBox Live login. At that point, according to numerous complaints on forums, those friends would then receive a message on XBox Live that appeared to have come from you, recommending Playfire.

A Playfire employee has been busy posting to this blog post, and also this forum thread on the subject. From the last link:

"It looks like Microsoft's legal team has triumphed. According to Large Jaguar, Xbox.com Development Manager, "PlayFire is no longer collecting WLID credentials for people's Xbox LIVE accounts."

Again, I don't think there's anything malicious going on here - but it's a good example of how a few poorly chosen "features" can seriously damage your reputation.

When you're a new site, that's really the last thing you need...

Tags:

Ka-Ching

By
Christopher Boyd
on September 12, 2008 11:59 AM |
I've written about cunningly placed adverts on Facebook application installer pages before, but this is getting to be a little.....excessive.

Here's what I saw when installing an image viewer, from the point where I started to install the app, during and once I'd finally made the application live on my page:


kac1.jpg
Click to Enlarge

kac2.jpg
Click to Enlarge

kac3.jpg
Click to Enlarge

As I said....excessive. Anyone thinking these boxes are part of the application installer will be taken to a familiar face:

kac4.jpg
Click to Enlarge

Yes, it's this thing again.

Facebook should really have strict policies on the kind of adverts allowed on installer pages (as a matter of fact, I don't think there should be any adverts allowed on these pages in the first place. It's way too easy to fool people.

Tags: