Recently in Myspace Category

At InfoSec Europe 2009, I gave a talk about the problems companies will face as they move to services of a 2.0 nature. What follows are my Top Five Tips for tackling some of these issues - they seemed to go down quite well, so hopefully there's something in there you can make use of too.

TOP TIP ONE: Put someone in charge of Social Networking in the workplace.

I noticed as I was talking about sites such as Twitter, Yammer, Present.ly etc that nobody in the room of about 130 people had used (or in most cases even heard of) any of these websites.

My concern with this is that I can guarantee there's some degree of what I like to call Intellectual Property Spillage going on. In other words, random employees and marketing bods see these new sites, think it's a good idea to be on them and then before you know it, there are unofficial presences all over the place and it becomes difficult to control exactly what's going on.

When I spoke about this issue recently, a chap in the talk went off and came back to me half an hour later. He told me he was amazed to find something like five groups set up by staff on Facebook, a Youtube page and a Yammer account - all out there online, doing their own things.

I was pleased to see a rep from a major music company approached me after the InfoSec talk and told me his company specifically employs someone to go around all the 2.0 sites registering "official" presences on these sites and keeping an eye on the oddball accounts.

Works for them...

TOP TIP TWO: Enforce a set of rules with regards what NOT to put on sites like Yammer

Yammer is basically Twitter for business users. Anyone from a company can set up a "private" Yammer account for the group, and then invite other employees to start posting about what they're working on.

The problem here is that many companies rush to join services like Yammer, post up a whole bunch of information that could be somewhat sensitive and then abandon the account. The following screenshot says it all:

yamm1.jpg
Click to Enlarge

As you can see, the last post was four months ago, with all that company specific information just sitting around, doing nothing. In addition, Yammer profiles want users to fill in a ludicrous amount of personal information. Full name, title, start date, significant other, kids names, birthday, interests, work / mobile phone, previous employers & start dates...and that's only a portion of the data requested. It's a social engineers dream, assuming they can trick a Yammer user to hand over their login OR pull off a successful phish attack.

Even better, you can view the company user list and see who has the most followers - assuming the most followed people are likely to be the most relevant / important people there, you're painting a huge bullseye on the "Staff who most need to be stalked".

My advice? If you have someone keeping an eye out for 2.0 sites / groups related to your company, ensure services such as Yammer are top of the list...and think carefully about posting sensitive company information. It'll only take one solitary phish to cause a lot of problems.

TOP TIP THREE: Keep real world friends & work associates OUT of your top 10 friends on Myspace

Yeah, Myspace is somewhat looked down upon by all the cool kids but whatever. There's still a lot of early adopters out there who use it successfully for networking, and it's still a powerful marketing tool for certain types of product / company / dreadful Emo bands.

Myspace is also notorious for troll groups and general idiocy. A typical past-time for trolls is to find out personal information, then cause trouble in the real world. Hassling people at their place of work is always great fun for them, or if that should fail, causing trouble for friends / work colleagues.

They do this by seeing who sits in your "Top five / ten / whatever" list of friends, on the basis that most people will (naturally enough) place their real world friends / workmates in that top position.

You know what I'm going to suggest, don't you? Take all your real world contacts and place them OUTSIDE the Top Ten Friends list. Put all those random people you accumulate - the bands, random additions, people you talk to on a forum once every blue moon - in the top spot. When the bad guys go trawling for information they can use against you, they're not going to get very far when they're wasting all their time conversing with German rock guitarists and spambots.

TOP TIP FOUR: Avoid the "Life story on Linkedin" approach

Yes, Linkedin is a useful way to make business contacts, see who is going to relevant events and so on. However - when I was at InfoSec, I was taken by how many people basically treat it as a posh version of Facebook and competing with people they know to see who can get the most "friends".

This is a TERRIBLE idea. Consider this - Linkedin works by constantly, endlessly nagging you to fill things in, complete this, flesh that out to hit utterly meaningless "targets".

lkdin2.jpg


Think about the amount of personal and business related information you're adding to your Linkedin page. Consider it's likely to be similar to the kind of data you're putting onto the more private Yammer account that only your workmates can see, only HERE you're making it viewable to all those random additions to your contact list.

Is that really a good idea? It's not hard for a social engineer to create a fake profile on Linkedin and go roaming - especially while people seem to be treating it as a popularity contest...

TOP TIP FIVE: Delete old Twitter messages (the "five a day" rule)

If you want to build up a picture of a potential target, Twitter is the place to hang out. It's random, it's stream of consciousness and no matter how hard the person posting tries, even a person who carefully considers what they post is going to leak some personal data about themselves that they'd rather not share.

It doesn't have to be anything spectacular; it's just an endless series of useful nuggets that someone, somewhere can use to build up a picture of you and do bad things. It's surprisingly easy to work out where someone lives (for example) when they're doing something as basic as posting region specific pictures of buses in their area on twitpic, for example.

To some people this isn't a big deal; to others who want to keep their location more anonymous than most, they probably didn't stop to think something as basic as posting up a picture of a bus could reveal their location.

In the same way, now so many people use Twitter for business related things it's easy to imagine that over time someone might have posted things that could be used to flesh out a target. Want to go dumpster diving? Well, what time does the only guy in his office go on his coffee break at? Oh look, according to Twitter he goes every day at 10:30AM, and we know he's the only person in there because he says he locks up...

Anyway, my advice is this - if your business world crosses over into your Twitter posts in some prominent way, you might want to consider deleting all but your five most recent Twitter posts. Do you really need them all lying around, waiting to potentially cause problems further down the line?

That concludes my "Top Five Tips". You might not agree with all of them (and feel free to share your own!), but hopefully there's enough in there to give some pause for thought the next time a 2.0 site is begging you to fill it up with an endless stream of information.
As mentioned in this post, this is a program we originally came across way back in July 2008 via a tipoff from an anonymous source. At first, we were a little puzzled as to its purpose and our anonymous source vanished into the ether so no additional information was forthcoming.

All we knew was that it allowed us to browse nothing but Myspace. Specifically, Myspace Groups. When the browser was opened up on the desktop, it would automatically take you to a random Myspace group with no way to enter a different URL, and the display simply showed "previous URL" and "Group ID" in the middle, with a collection of buttons to the left.

"Previous", "Next", "Topics" and "Lottery".

Here is the "Lottery Browser" in action. Note that the browser in its default :

fullbrowser.gif
Click to Enlarge

After a little playing around, we noticed that continually hitting the "Lottery" button would (naturally enough) take you to a different group. Depending on how the groups were set up, some were openly accessible, and some displayed "This is a private group".

However, it's the private groups that were of interest where this browser tool was concerned.

If you hit the "Topics" button and the group had no content in it, you'd see the following popup:

notopics.jpg

If you came across a private group that had posts in it and hit "Topics", this is what you'd see instead:

lott3.gif
Click to Enlarge


All of your private topics are belong to us.

Now, I should stress - in testing, this browser rarely worked. More often than not, it would crash, hang, set the monitor on fire and burn down the house, those kinds of things. However, the potential for data theft (depending on the foolish things people post in "secret" groups"), information harvesting, harassment and plain old creepy voyeurism was still a risk where this "Lottery Browser" was concerned.

We don't know where it came from, and it seemed to die a death shortly afterwards. I'd have thought something like this would have spread like wildfire on the underground circuit, but it vanished almost as quickly as our mysterious tipster.

I suppose we should be thankful...
For a long time, I've been fascinated by what I like to call the "Rogue web browser" - a web browser that abuses the trust we place in our gateway to the web, and subverts its use for something more sinister. Here's a brief potted history of the known examples:

Yapbrowser, April 2006: A web browser that didn't force install, asked permission and displayed a EULA. Unfortunately, it also took you to a webpage pushing hardcore child pornography when you typed in any address into the web-browser.

Safety Browser, May 2006: A web browser that installed without permission via IM, looped a soundfile on your desktop, served you ads via geolocational technology and made your PC more unsafe than it was previously by allowing popups by default.

Browsezilla, June 2006: Allegedly inflated the hitcount of pornographic websites by opening up those pages in a way that the end user couldn't see the pages being opened, linked to sites launching the WMF exploit.

NetBrowserPro, March 2007: Pushed fake media codes, installed a rootkit, preyed on trusted brands.

Well, it's been a while but later on we'll be covering another addition to the list. We actually came across this last July, but as we said here, we didn't go into specifics because

1) We wanted to give Myspace some time to address the problem, which they seem to have done.

2) We didn't want lots of crazy people to go hunting for the program being used, given that Myspace sometimes takes a little while to tackle security issues brought to their attention and

3) Nothing tried to exploit your PC or steal your data, or we'd have released more information sooner. The solution to the problem caused by the program was simply to not post any personal or potentially "sensitive" information to private Myspace groups - if you weren't doing that (and you shouldn't be anyway!) then you had nothing to worry about.

4) The program itself was rather buggy, and had an extremely low rate of success. After exhaustive testing, we only saw it do what it was supposed to do twice. No sense in causing a panic.

At any rate, it's been eight months and the program doesn't appear to work at all now. With that in mind, we'll take a peek a little later on...

This arrived in my mailbox a few days ago:

par1.jpg

The EMail reads:

"This is a message from add me on msn, paris84fun@hotmail.com:
 
 add me on msn, xxx@xxxxxxxx.com thought you might enjoy checking out this blog on MySpace.com! You don't have to join MySpace.com to view the blog. Just use the link below.

[url removed]

Interesting - we have people setting up fake accounts on Myspace, sending out "check out my blog" messages to spam lists and then....

par2.jpg
Click to Enlarge

par3.jpg
Click to Enlarge

Pimping their spambots via phoney blog entries.

Shall we see what happens next?

janeh1.gif
Click to Enlarge

As you can see, it's a standard bot script that's been around since time began.

Almost had me fooled for a moment there, too...

Bands on Myspace have been targets of hackers, scammers and phishers for quite some time - grab the account of a popular artist or twelve, and all Hell can break loose. I was surprised to see this when doing a few searches on Myspace earlier today:

oasis.gif
Click to Enlarge

As you can see, the "official" band profile is surrounded by a striking red border (no, we didn't add that ourselves) and it says "Myspace Verified - Official Artist" at the top. This is a great way to cut down on the possibility of scammers impersonating legit acts. Not sure how long this feature has been in place, but a good idea methinks...
A contact of mine passed this URL over to me - it was posted to the Myspace page of his friend a while ago, and he thought there might be something a little odd about it. The site is called

friends-to-friends-only.com

When you arrive on the page, you'll see this:

Snap1.jpg
Click to Enlarge

The text reads "Our system indicates that a pic from your IP address has been uploaded to this site within the past 48 hours". In addition, an incredibly creepy MP3 recording says the same message out loud. Note the blurred out images in the background, too - all in all, it's a remarkably freaky and somewhat worrying thing to see upon arrival. At the top of the page (not in the screenshot), it says:

"Privacy Note: We never send SPAM to your email address. We never sell your personal info.
This is NOT a MySpace or Facebook login page. MySpace/Facebook users are not authorized to participate on this website."


That's a strange thing to say, isn't it?

Click "Ok", and...

Snap2.jpg
Click to Enlarge

Already, you're being asked for the name of your friend, and your full name complete with an email address. At this point, you'd have absolutely no idea what was going on here. There's a definite sense of them wanting to make sure everything you do is correct - hover over the input boxes, and a popup appears that says "It is very important that you type your email address accurately so that we can match our records correctly".

At this point, most users would probably be wary of Phishing or some form of EMail harvesting.

The next box makes things even more alarming:

Snap4.jpg

"You may use current password"? This begs the question - what current password? You've never been to this site before, and you don't have one. But wind back a little bit, and remember that you've already handed over an EMail address on the previous question. As this link was appearing on Myspace pages, it's a good bet that a portion of users will have entered the EMail address used for their Myspace account.

Cynics would argue those same users might think they're supposed to use their Myspace password above, thus handing complete strangers their Myspace login. Yes, the site says "Myspace users not allowed", but this seems somewhat redundant - if this link appears on a Myspace profile and that user visits, they're certainly not going to leave the site after being panicked into thinking the site has mysterious pictures of them being stored on it.

And who could blame them?

Either way, hit Submit and you're presented with an alert that says they need to know how you found this site. The text reads:

"Most people are sent a link to this site on their GMail, Hotmail, Yahoo, Google or Facebook account". It then lists said services, along with a few others underneath. Most of the links lead to the same URL, but click the "I got here from Myspace" link, and you're presented with the following:

Snap7.jpg

There's no other explanation given, but it seems somewhat peculiar that Myspace have taken the step of trying to remove all association from whatever this website is offering. Select one of the other options, and you'll be hit over the head with a popup that says

"FINAL STEP: Our system indicated that your friend recently bookmarked and reserved this page just for you!"


All nonsense, of course. But jump through some more hoops anyway, and...

Snap9.jpg
Click to Enlarge

...are we there yet? The end result of all this is......

Snap10.jpg
Click to Enlarge

....the worst attempt at humour I've seen in a long time. Needlessly worrying people with a load of fictitious nonsense about "pictures", confusing and pointless prompts that could theoretically cause people to hand over Myspace login information at different stages of the process......not a great combination. And we're not done yet. Click away from the picture above, and you're presented with a highly detailed "What Next" guide:

Snap11.jpg

It's the next bit that really cracks me up, though:

Snap12.jpg

I don't know about you, but I'm not sure I'd want my users to visit a site like this anyway. It might be entirely harmless - and to be fair, the EMail address I created just to use on this website has never been sent a single spam mail - but the package taken as a whole makes me distinctly uncomfortable.

There's also a lot of alternate URLs leading to the same site - one brave soul has done a lot of digging on this, and come away with a jackpot of web addresses. They're also quite adamant on the notion that this whole thing is a Phishing scam - while I'd like to take a more "wait and see" approach where that's concerned, I'd personally advise anyone reading this not to use this particular website, regardless of the URL used to get there initially.
Hmm, something doesn't look right about this person on a random friend list I came across today:

fred1.jpg


Why hello there, "Freddy". Should you visit the profile, Freddy seemingly has a rapid identity change:

fred2.jpg

Click to Enlarge

This is (of course) a fake graphic placed on top of a real profile (in this case, a "Comedy" profile). Note that they haven't aligned it very well, though they do score bonus points for ensuring that both "Angelina" and every single fake person in their contact list are showing as "Online now". Click the image, and you're taken to (surprise, surprise) a dating website:

fred3.jpg
Click to Enlarge

There was a time when I would stumble across these overlaid profiles every other day (not to mention the endless friend requests from Bots promoting similar websites), but the friend requests have long since dried up and I hardly ever see these kinds of profiles anymore.

That's not to say they're not out there anymore, but it would be nice to think Myspace have cracked down on these in recent months...

Myspace Drive By

| | Comments (0)
Spotted in the wild (like they're spotted anywhere else!)

Apparently the following happened while someone tried to view a blog post:

msdb1.jpg

Click to Enlarge

A fake "your system may be infected" popup. Note the site it launches from is one of the more aggressive types (it shrinks your browser down into the bottom corner, and won't let you do anything other than cycle in an endless loop of popups until you agree to download the file being pushed).

These kind of attacks occur because of rogue adverts being pushed into advertising space, which is likely what happened here. If you are unfortunate enough to be trapped by an attack like this, don't panic - just do a CTRL+ALT+DEL and close the browser window...
In the last few days, we've discovered a program that attempts to get around certain privacy related features on Myspace groups (which are effectively mini-forums run by Myspace users). Note that the program doesn't attempt to do anything to individual end-users like infect their PC - and as long as you're not posting up personal / private information to Myspace groups that you don't want to risk being grabbed by nefarious individuals, you have nothing to worry about. (As a general rule of thumb, you shouldn't post sensitive information to any third-party website in any case, but that's another story).

We're not posting up any additional information at this time, because we don't want to cause a mass stampede by people to grab the files in question and start using them left, right and center until Myspace has had a chance to tackle the problem.

For now, we've passed on everything to Myspace and hopefully they'll be able to resolve this speedily.
Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.


Link here.


Pages

About this Archive

This page is a archive of recent entries in the Myspace category.

Miscellaneous is the previous category.

P2P / File Sharing is the next category.

Find recent content on the main index or look in the archives to find all content.