Internet Threats, IM, Malware, P2P, Spyware - Software in a World of Grey.
Main
I had this waiting for me in my Myspace friend request box today:
...uh. I had pegged this as a standard fake profile, but the addition of the personalised "Why, hello there" message wasn't something I'd seen before with one of these fake profile requests. A look at the profile, and...
Click to Enlarge
.....strange - not the usual fake profile hurling adverts for ringtones, Adware and who-knows-what at me. It's a bit arty, a bit daring - certainly in your face, but for once, it's not adverts and scams in your face, and that's a refreshing change. Could it all go wrong with the "About Me" text though?
Apparently not. There's no mention of the latest Viagra pills or even a webcam. This is weird. It's almost too good to be true.
Almost.
Click anywhere on the page, and (courtesy of an invisible overlay)....
Click to Enlarge
Doh! And we were doing so well for a while there...
- Myspace: Who Is Watching the Detectives Part 3
April 1st, 2008: Who Is Watching the Detectives?
We write about an interesting "system error" (as Myspace called it) that allowed people to track other Myspace users that were visiting their page, after having notified Myspace about this issue.
April 16th, 2008: Who Is Watching the Detectives Part 2
This still hasn't been fixed, and (worse still) it looks like this has been in circulation since at least October 2007. Hurry up, Myspace...
April 30th, 2008: It looks like this has finally been fixed, and it's no longer possible to auto subscribe visitors to your video subscription channel. Hooray! Score one for the good guys - that's one less tool hackers, Myspace Trolls and crapflooders can use to game the system.
One down, plenty to go....
- Myspace: Who Is Watching The Detectives Part 2
A few weeks ago, I wrote about a technique that could be used to track the people hunting bad guys on Myspace. Well, I was curious how long this had been in circulation for. Thankfully, some of the people using this are pretty stupid so of course, wandering through their photo galleries proved particularly useful:
Check out the date - October 26th, 2007. So this has been in circulation since at least that date....oh dear. Note that this particular individual talks about using it in conjunction with IP trackers, too. I've been somewhat out of the loop on this one due to attending conferences, but I've just tried it out again and can confirm that it still works.
As we said in the original blog entry, if you don't want people to track you in this way (until Myspace actually fix this) then add the following to your HOSTS file:
vids.myspace.com
...and you should be fine.
- Myspace: Who Is Watching The Detectives?
It's well known that law enforcement, security researchers and groups that track down / remove pedophiles, trolls and crapflooders from Myspace spend a lot of time networking, watching profiles, tracking dubious individuals through their postings, friends lists and other things too numerous to mention.
It's a tricky business, and can potentially place people like myself at great risk of being found out, exposed or run over the coals if one of these bad guys works out you've been trailing them for the past three months.
What happens, though, when the bad guys have a method to know exactly who is watching them? And what are the consequences?
Well, ponder no more because they're already doing it. Someone, somewhere has come up with a method to track people using Myspace itself - if you visit that persons profile, they will know who you are and be able to take (in)appropriate action. This method is already in use amongst Myspace trolls, and has been seen pasted to at least one hacking forum. You can bet this is doing the rounds on the underground circuit.
How do they do this?
By taking a few lines of code and placing it onto their profile (note that we're not disclosing any information about the code yet, as Myspace are still fixing this and we don't want to help more people to use this than are already doing so). When you visit that profile, you are automatically subscribed to that persons video channel.
Simple, sneaky, effective. To the regular user, this isn't too much of an issue - people can paste in coded "trackers" onto Myspace pages that attempt to log IP Addresses, browser type, country etc. "All" this does is tell the bad guy which Myspace users have visited their page.
However, this isn't so good for anyone hunting down hackers, pedophiles and other dubious characters because
a) they will know if, say, Paperghost has suddenly started poking around their profile and
b) pedophiles and other predators will spot "Officer Jackson" popping up on their subscriber list and likely go underground or vanish altogether.
Worse, the code can be pasted anywhere - a hacker could place it on their blogspot blog, or a forum, or anywhere else for that matter - if someone visits that page while logged into their Myspace account, they will still potentially end up on the hackers subscriber list.
How does it work?
Well, here is a shot of my friend looking for me on Myspace:
Naturally enough, they find me:
Click to Enlarge
They click on the top link, and visit my page.
Click to Enlarge
However, if they now go and check their video channel subscriptions, they'll find they've automatically been subscribed to my video channel.
Click to Enlarge
At this point, it's time to let my friend logout and log back in as myself. If we now look at a screenshot (which I took myself while logged in), you can see I have a new subscriber - the person that just visited my profile (bottom left):
Click to Enlarge
As time goes by and more people visit my profile, they'll all find themselves automatically added to my subscriber list:
Click to Enlarge
In this way, you will have a record of every single Myspace user that has visited your profile page.
How can you combat this?
Well, it's surprisingly easy to get around this scam (which Myspace are working to fix, by the way - we notified them of this on Sunday, and I know at least one other individual has apparently reported this too). If you're a regular Myspace user, you may not be too bothered by being subscribed to some random persons video channel. If it bugs you, simply go to
http://vids.myspace.com/index.cfm?fuseaction=vids.myvideos
Then click "My Subscriptions", and under the "Subscriptions by User" category it'll show a list of every person who you are currently subscribed to. Click their Username, then hit "Unsubscribe".
Job done.
If you happen to be in Law Enforcement, Security Research (or happen to be anyone that doesn't particularly want to be tracked in this way, for that matter) simply add the below to your HOSTS file:
vids.myspace.com
And all subscription attempts should fail miserably.
The last contact I had with Myspace was last night, and they said
"Hello,
We are working to fix this error. We do not have a reliable estimate at this time.
Thank you,
MySpace.com"
Hopefully, they will fix this quickly. The damage is already done, and bad people are using this to full effect. The issue here, is that the only people who seemingly didn't know about it were the good guys - the ones most at risk from this code. The only way to mitigate this risk to people hunting the bad guys is provide a simple (yet entirely effective) antidote to this latest wave of dubious behaviour, which we've provided for you above.
Take my advice and use it until Myspace can confirm this is entirely locked down.
Myspace hacking tools are a magnet for wannabe script kiddies and leet hax0rs. Here's the latest one I've seen in the last couple of days:
....ooooh. But wait, it gets better:
I've no idea who "Paul & Nick" are, but they'll probably attract a fair amount of people to this application (that weighs in at a tiny 24kb in size) before they realise it's a fake. Enter the Myspace page that you want to target (or leave it blank!), hit the "Hack" button and....
Whoops. Thanks to a line of code that says this:
00002A24 00402A24 0 shutdown -f -s -t 0
...the PC (as you probably already guessed) does indeed shutdown:
Click to Enlarge
No lasting harm is done to any PC that the file is run on. We detect this as Myspace.Shutdown.
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Additional Research: Peter Jayaraj, FSL Senior Threat Researcher
- Myspace Spam Profiles With Multiple Identities
Here's an interesting twist on the usual fake profile invites I regularly receive on Myspace.
Normally, you click the link and are taken to a standard fake profile advertising webcams or something of a similar nature. If you refresh the page, you'll see the same content - just like a regular Myspace profile. Well, in this case the code used by the bad guys means the page is no longer static. Refreshing the spam profile will endlessly cycle through a whole raft of fake overlays and images:
Click To Enlarge The Above 4 Images
All of the above pop up on the profile link I was sent (you can see the URL remains the same in each screenshot).
How do they do it? Well, they're overlaying the profile page with a large clickable image, a common tactic that was used in the Myspace band hacks from a while ago. Here's the code:
In other words, a random image (made to look like a Myspace profile) is served from here:
free-hotwebcam(dot)com/Images/00110/KKD90g4aKKXNSTKhUvj04RO7WQDhw(dot)jpg
And clicking it will take you here:
snurl(dot)com/20h89-holo
Which redirects you to
privaterooms(dot)biz/t-main027(dot)html
...before finally leaving the end-user at the eventual destination of teen(dot)livecamfun(dot)com. The curious thing is, why would you bother to make your spam profile pages dynamic in this way? Once you've seen one, you leave it and don't go back. I can't imagine someone revisiting the page simply because the images keep changing...
- Lab Conversation: Myspace Hack Pack
[7:10:30 AM] Paperghost says: Hey, did you get a chance to look at that thing I found yesterday?
[7:10:39 AM] Peter Jayaraj says: Yep, it's an interesting collection of applications...let me explain
[7:13:50 AM] Peter Jayaraj says: The List Master - this is used to breakup the Emails...
[7:14:05 AM] Peter Jayaraj says: if you have 10,000 emails to crack.. you can split up 5K at a time..
[7:14:16 AM] Peter Jayaraj says: you can extract email Ids based on keyword.
[7:14:31 AM] Paperghost says: Nice. Fill me in on the other ones
[7:15:22 AM] Peter Jayaraj says: List Processor - this is used to clear blank lines in the file.
[7:16:45 AM] Peter Jayaraj says: Myspacefriendfinder is used to find friends on Myspace using keywords.
[7:18:07 AM] Peter Jayaraj says: "OnceIsEnough" is used to remove the duplicates.
[7:18:16 AM] Paperghost says: And at that point, you roll out Myspace Demon and go crack some Myspace accounts?
[7:18:32 AM] Peter Jayaraj says: Yep
[7:19:19 AM] Peter Jayaraj says: So all these apps can be used together effectively.
[7:19:35 AM] Paperghost says: Very effectively, from the looks of it...!
- Random Observation On A Myspace Phish Drop
It's really not a great idea to fill up Phish pages with fake data, but I couldn't help laugh when I saw this missive at the bottom of one particular password drop:
- Myspace Advert Tricks End-Users With Fake Facebook Application
Here's an interesting advert I saw served up on a random Myspace page today:
We're looking at the box that says "You've got a Crush: You have 2 crush requests from your friends list!!"
Does the image beneath the text look familiar? It should, because it's the graphic used when installing applications on Facebook:
Of course, there's no application to install here - click the box, and you're redirected to a site pushing mobile phone messages (£2 a message, four messages a week) that supposedly tell you who has a crush on you:
Click to Enlarge
It's also interesting that the creator of the advert chose to reference the recent Secret Crush application in their chosen image - don't they think anybody will immediately make that connection and steer clear?
I haven't seen this advert on any site other than Myspace so far. It's rather strange to see dubious ads on Myspace using well known Facebook images (namely, the graphic for installing applications) to gain the trust of end-users...
- Myspace Fake Profile Spammers: This Is How They Do It
A few weeks ago, we covered Spammers running riot on Myspace pushing ringtones and dating profiles. Have you ever wondered how Spammers go about their daily business? If so, you're in luck because it seems likely that we've pieced together the tools (and domains) used for this very wave of fake profiles.
It all started with a domain I'd been looking at for a few days, which touted a "Myspace Directory" containing numerous text files named after various sections on the typical Myspace profile - "Gender", "Interests", "Heroes" and "Movies", to name but a few:
Click to Enlarge
Here's a Birthday file:
Here's a list of names:
Click to Enlarge
Here's the name for the spam profile itself:
And, more tellingly, here's an image file - the profile picture for the spam account:
Look familiar?
It doesn't take long to figure out that these different text files are values the Spammers use to populate their fake profiles. But how do they get that data into the fake profiles in the first place?
It all begins with a domain that (for some unknown reason) was left with the Spamming tools sitting on the frontpage of the site:
Thanks to a tip from my pal LoLo, I was able to grab the files and take a look inside. The domain hosting these files changes its content on a regular basis. Sometimes it serves you geotargetted adverts, other times it'll hand you an ad for a dating page (the picture of the girl with the laptop has been used on the majority of more recent spam that appears to come from the same group):
Click to Enlarge
And (thanks to the magic of Google cache) we can even see the domain hosting a fake Myspace page:
Click to Enlarge
The example above is overlaid with a redirect that takes you to more targeted adverts. For what it's worth, this particular kind of spam profile has been on Myspace since at least June 2007.
If we take a look inside the first zipfile, we see the following collection of files and folders:
Click to Enlarge
Exploring those folders a little deeper (and faced with numerous .cs files), renaming some of them to .txt files....
....allows you to take a peek inside:
Once again, we see references to the most common categories on a Myspace profile. As you're about to see, this is hardly a coincidence. From the second zipfile:
"Myspace program.exe"? Shall we take a look inside the program before we fire it up?
Click to Enlarge
Well, would you look at that. Not only is the domain with the "Myspace" folder referenced in the code, but (more importantly) all of the individual .txt files that relate to "Birthday", "Books", "Movies", "Interests", "Heroes"....they're all there. Shall we put it all together?
This is the tool that apparently makes it all happen. Note the entry box in the bottom right corner - from what we can gather, you enter the profile name you'd like for your Spam profile and hit Start - at which point, it checks out the information provided in the .txt files sitting on the domain, before attempting to contact another part of that website that allows it to create the spam profile on Myspace. At time of writing, the program doesn't seem to work due to a page missing on the domain hosting the spam profile information. Of course, they could bring the page back at any time, but for now, Myspace seems like it may be spared from more fake profiles selling ringtones, dating ads and free iPods.
For a couple of minutes, at least....
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
- New Myspace Feature Gives Green Light To Spammers
If you happen to be a musician on Myspace, you'd have seen the following update from Tom yesterday:
"we have been working on a new feature that allows bands with over 10,000 friends to automatically approve friend requests to save you some time."
Myspace just made it a walk in the park for Spammers to plaster the most popular pages on Myspace with pill adverts, dubious redirects, porn spam....whatever they feel like. Previously you had to be a friend (added manually) to leave a comment on someone's page:
Not anymore!
Remember the Myspace band hacks from a while ago? These are still taking place, with what looks like a few new malicious domains thrown into the mix (thanks to JetKing for the tip):
Click to Enlarge
Note the ".cn" domain in the bottom left hand corner. This will of course redirect you to a fake media codec install:
Click to Enlarge
Considering band pages are a huge target for Myspace hackers at the moment, this new policy - effectively a green light to as much profile spam as you can handle - allows links to this kind of redirect to be pasted all over music profiles with no need for the page owner to approve anything first.
Has this move been brought about by people working on behalf of the most popular artists complaining about the amount of friend requests they have to manually approve? Possible, given the content of a Bulletin sent out by a band (and passed onto me by a contact who received it):
"Title : THERE IS A GOD!!!!!!!!!
Incase you're wondering why I posted this, dear **** band's fans, adding 250-300+ people EVERY SINGLE DAY FOR THE PAST 4 YEARS, hasn't been my idea of a good time. So MySpace has FINALLY listened to the bands moans, mine included! I sent them an email about this late last year and by god, they listened!"
However, the cost of an automated process like this is to give people with malicious intent permission to post whatever they want, whenever they want - simply by starting the ball rolling with a friend request to anyone with more then 10,000 people on their friends list. Of course, some profiles will have comments moderation enabled - but if the people using the auto-add feature are using it to save time in the first place, why would they bother to wade through hundreds of moderated comments too?
Myspace are having enough problems as it is, recently - why add to them needlessly?
- Myspace Prank Relocates You To Japan
Whenever I see someone post "Hey, check this out" on a Myspace profile I just know it's not going to be good for your general wellbeing. Sure enough...
....anybody wanting to "check this out" will probably be a bit annoyed once they've clicked the link (made to look like it leads you to a video). Why? Oh, I don't know....
Whoops. Shall we have a look at my all new login screen, courtesy of a mischievous IFRAME?
Click to Enlarge
If you're hit by this, don't panic - simply scroll down to the bottom of the page and click the word "International" in the bottom right-hand corner:
From there, it's just a case of setting the right geographical location for your homepage:
Everything should be back to normal once you've done this.
- Myspace: What Happened Here?
Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.
As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the less than amazing response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.
"Anyone got a contact for Myspace"?
Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.
Now, I had no clue what I was looking at but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:
"Domain Account Administrator, Myspace"
"CSR-Tools"
"Account: Retail"
"Billing Information".
These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.
Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.
I tried again this week, and this is what I sent them:
hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).
The screenshot appears to indicate your main CSR account
tools system was compromised in some way - can you confirm
what has happened here? I will be writing about this later
on today on my blog and would prefer to have the full
details as to the extent of what has (or has not!) happened here.
Thanks,
Chris
Can you guess what I got back?
Hello,
Below is a pretty comprehensive overview on blogs presented in an FAQ format. It should answer all the questions you have about blogs.
Q: What is a blog?
A: A 'blog' is an online journal. Blog is short for Weblog. In recent years, 'blogging' or posting an online journal has become very popular.
.....yes, thanks for the handy blogging tips(!)
I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):
Hello,
Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.
......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?
I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?
Little help, Myspace?
/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet.
I sent Myspace this:
"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"
Let me repost my message for a third time"
This is what I got back:
"Hello,
We do not offer that option as it is not available within MySpace."
....I think my brain hurts.
- Myspace Spammers Change Tactics, Fail Miserably
Looks like the Myspace spammers impersonating "Myspace Tom" have realised that calling their ringtone spamming profiles "Tom Anderson" is the quickest way to have their fake profiles deleted.
With that in mind, they decided to change the names given to the profiles.
Unfortunately for them, they kind of messed it up.....
- Myspace Tom Selling Ringtones?
.....nope.
As you might have guessed, these profiles that are suddenly springing up all over Myspace are 100% fake. It seems Myspace are aware of these, and are taking actions to have them deleted.
- SCMagazine Podcast - Hacks on Social Networking Sites
Hear some of my thoughts on the recent spate of Myspace hacks here (direct download), courtesy of SCMagazine.
- Tesla Hacked Justin Timberlake Too
...a charming bulletin. And here's his page from a few hours ago:
Click to Enlarge
...Tesla, running wild.
- Tila Tequila, Hilary Duff Hacked By "Tesla" of Kryogeniks
I couldn't imagine a crazier way to get yourself some attention from the hacking crew you want to join than taking out one of the biggest "phenomenons" on Myspace then following it up with the Hilary Duff music page, but there you go. The page content doesn't appear to have had anything malicious placed on it, but the individual behind the hacks couldn't resist sending out a few bulletins.
Here's a few versions of the hacked page:
Click to Enlarge
Note that Tila is extremely popular on Myspace, and has 241,4669 friends. In fact, she's one of the top three music profiles on all of Myspace:
Click to Enlarge
If the hacker had placed something malicious on the page......Houston, we'd have a problem.
Finally, the motivation behind the attack is revealed:
Click to Enlarge
Check out the text at the bottom of the screen:
"Well my names Tesla I like to hack I think Tilas a hottie and uh I wanna join team Kryogeniks!"
Sadly for Tesla, I don't think he'll be getting a membership card through the door anytime soon because if we jump over to the Kyrogeniks website (handily provided for us via the content of the bulletin sent out from the hacked Hilary Duff account):
....we find that Tesla might not be the flavour of the month on the Kryogeniks board:
Click to Enlarge
I'm sure he didn't include getting their forum canceled in his plan for Internet stardom, but oh well. Shall we take a look around and see what we can find? Let's start with a cached version of their forum:
Click to Enlarge
In all honesty, there's not a lot there - a few mentions of "phish pages needed" and the usual cracks / hacks. Let's keep looking - wait, do we have something on Digg.com? Sure looks that way:
"Seems to have been hacked"? I'd be more impressed, if the user who submitted the story didn't share his username with the site being given shout-outs in the bulletin. Sigh. Nothing like a little self publicity, I guess. Turning our attention back to Tesla, we can see he's a noob on their forum:
Click to Enlarge
...but other than that, not a lot is known about him at this point.
/ Addendum - We've just discovered that Justin Timberlake had his page compromised in the same way by Tesla.
I'll update this blog entry with more information as it comes in...
- The Myspace Band Hacks: A Victim Speaks
You probably saw some of the coverage of the recent hijacking of musician pages on Myspace. What you probably didn't see, was evidence of the end-users who were unfortunate enough to have their systems taken over as a result of the hacked band pages. Certainly, a few reports claimed that something like "40,000" people were infected as a result of viewing the Alicia Keys Myspace page at the time that it was hacked. The only problem is, nobody seemed to be able to produce one of these individuals. While I don't believe that many users became infected purely from the Alicia Keys page, it's obvious that there would be people out there with a story to tell.
Well a few days ago, one of the end-users who clicked the overlay on a hijacked page (which would redirect you to malware and fake codecs) got in touch, and agreed to let me use the following extract to serve as a warning to anyone clicking on a Myspace page. Obviously, names / personally identifiable information has been removed.....
"To Chris Boyd:
I believe I was a victim of the recent software attacks on MySpace. I have read that you first blogged about it, but haven't heard of any solutions as to what can be done to online visitors who have visited the site, and whose computers have been compromised. I had ********** Cable install high-speed internet, and got online the same day. I did get on the Alicia Keys website, along other websites, and the following day, my computer is showing me a red screen telling me that my "privacy is in danger." A pop-window appears from time to time. It says...WINDOWS SECURITY ALERT...Someone is trying to hack into your system....download such and such now, etc. Downloading more stuff is actually something that I don't want to do.
I have contacted the company, and all they told me was to go to a computer technician and clean my software. I should mention that I had McAfee and Norton Antivirus, but both expired in May 2007. I had dial-up before and never had this problem, even with the virus protection programs expired. I guess the only solution now is to get my computer cleaned up, and buy a software that will protect me from future problems. Hope Best Buy has the right stuff! Since it's high-speed, does that mean we're open to hackers? Do you know how online visitors can be compensated for the recent attacks on the website?"
Well, for what it's worth, you'd have had the same problem if you'd visited the page and been hijacked regardless of whether or not you were on Dial Up or high speed broadband. As to whether or not you're "open to hackers", it depends what was installed during the hijack. Though there were some reports of Rootkits flying around the press when this story was in the news, all we saw installed was the fake Codec (which is usually responsible for downloading and installing the rogue antispyware cleaner currently giving you all those "alerts"). However, the payload was known to change from time to time so without seeing the individual PC, it's hard to say. The good news is, most reputable security cleaning tools remove many, many variants of these fake Codecs, and also the rogue antispyware tools they push onto hijacked PCs. The method used to hijack the computers in this attack was much more interesting and up to date, than the actual malware being foisted onto the target PC which (when compared to some of the hijacks out there) were fairly middle-of-the-road and not a huge threat.
As for being "compensated", sadly I don't think you'll get very far. Your best bet is to keep your security tools updated, try running in Limited User Mode if you're just doing general web browsing and keep Windows patched as much as possible.
Meanwhile, hacked pages are still out there and still redirect to the hijack sites at the heart of this attack, so anybody visiting a music page on Myspace needs to ensure everything they click on is legitimate. On a related note, I'd love to hear from anyone else out there that's been hijacked by the above scam...
- BandJammer - Hacking A Myspace Music Profile Near You
The last few days, we've noticed a number of Myspace profiles hacked. Nothing unusual there, you might think - however, this approach is somewhat different.
Why?
Because the attackers only seem to be hacking the pages of various rock bands, overlaying them with a huge "background image" that covers a sizable chunk of the page then either tries to redirect you to fake Media Codec installs, or (as far as we can tell from the messages being posted on some Myspace Bulletins) Phishes your Myspace login details. Check this out:
Click to Enlarge
It's a page for a band called "A New Dawn" - notice at the bottom of the screen, there's a .cn URL - that's where all the action takes place. From there, the attack seems to rotate between exploits, fake Media Codec installs and apparent phish attempts. Shall we look at the code?
Note the "background image" is a URL. This isn't the only band to have been hit by this:
...and, if we look at some of the comments left on their pages, it's obvious that the attackers aren't too concerned who notices it:
Click to Enlarge
Click to Enlarge
If you check out the steps made in a typical hijack, this is what happens on your PC:
If you check the source code for the final step of this particular journey, you'll see this:
..from this "movie site" comes - you've guessed it - a fake codec installer:
Click to Enlarge
Install this, and you're only a few moments away from "security toolbars":
Click to Enlarge
....desktop wallpaper hijacks, rogue security applications giving dire warnings of infection and who know what else. More alarmingly, there have been a few people on Myspace claiming that their accounts have been "phished" after clicking into one of these hacked pages - indeed, there are already a number of bulletins floating around regarding this issue:
Click to Enlarge
...so there we have it. Targeting nothing but Myspace band profiles is an interesting tactic - hack one of the more popular bands, and a steady stream of potential victims will be winging their way to your hijack of choice. As the overlay covers most of the page, it doesn't leave the end-user with much margin for error. For what it's worth, we detect this as BandJammer.
Rock and roll - it'll be the death of you....
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
- Myspace Spammers Just Aren't Trying Anymore
Normally a piece of spam on Myspace all depends on it pretending to look like something other than what it is. Right? That's just common sense. So I can't tell if the rash of similar spam hits I've had in the last few days is the spammer being honest or just plain bored.
Click to Enlarge
- Weirdness on Myspace - Watch Out For System Doctor Adverts
Just had a tip off from a contact on Myspace - they were sending a Bulletin to their friends and as soon as they hit the "send" button, they were directed to a System Doctor "scare tactics" page:
Click to Enlarge
If you see this, ignore the nag screens and click out of the popup loop. It'll take a couple of goes, but you should escape eventually.
Yep, more fake profile Friend requests. These ones are a little more interesting than usual, though.
First of all, this thing popped into my Inbox:
It's pretty obvious that this profile screams out "fake", so off we go to take a look and....
Click to Enlarge
....we see a big banner claiming "Need cash fast use easy Paypal system" with a blog entry proclaiming "$400 to Paypal". If you click the banner, you're taken to a site called "Vid-Share.com":
Click to Enlarge
I'd love to be able to tell you what the software on this site does that will generate you so much money, but to find out you have to send £19.99, apparently without any idea as to what you're going to purchase.
Interestingly, if you Google Vid-Share.com, the top result (sitting above a number of pages on Myspace that have had this banner posted to them) is rather strange:
Click to Enlarge
"Myspace Hacking / Welcome Welcome to myspacehacking we are the leading email account & myspace password recovery websites on the internet today."
....guess we'll go pay it a visit then.
Click to Enlarge
Apparently, you can pay between $60 to $75 dollars to recover a lost password for a variety of Email systems, and the site also offers a number of downloads of the Password crack / recovery variety. Some are free, but the one listed in orange needs to be paid for - no idea what it does though:
Click to Enlarge
If you click around on the front page for a while, you'll see this message appear at the top of the screen (viewable in the main shot of the site above):
"<%'YOUR NOT SUPPOSED TO BE LOOKING THROUGH THIS INFORMATION IT WILL GET YOU NOWHERE!!%>"
I'm guessing this was only supposed to be viewable if you were rummaging round their HTML source, but oh well. Some more exploring on Myspace follows, and it seems a wave of spam profiles have been set up with the express intention of pimping the Vid-share URL:
Click to Enlarge
This one is extremely interesting, as (aside from the Vid-Share spam) it also has this in one of the blog entries:
Click to Enlarge
Click to Enlarge
"Do you need a Myspace password
Get your passwords here Myspacerecovery.com"
Sadly, there doesn't seem to be any cached version of the (currently down) site, so there's no way to check it out and compare it against the sites already mentioned. However, we DO seem to have an overabundance of spam profiles:
Click to Enlarge
....aren't we the lucky ones?
|
