Myspace: January 2008 Archives

A few weeks ago, we covered Spammers running riot on Myspace pushing ringtones and dating profiles. Have you ever wondered how Spammers go about their daily business? If so, you're in luck because it seems likely that we've pieced together the tools (and domains) used for this very wave of fake profiles.

It all started with a domain I'd been looking at for a few days, which touted a "Myspace Directory" containing numerous text files named after various sections on the typical Myspace profile - "Gender", "Interests", "Heroes" and "Movies", to name but a few:

http://blog.spywareguide.com/upload/2008/01/myspacebot2-thumb.jpg
Click to Enlarge

Here's a Birthday file:

myspacebot6.jpg

Here's a list of names:

http://blog.spywareguide.com/upload/2008/01/myspacebot3-thumb.jpg
Click to Enlarge

Here's the name for the spam profile itself:

myspacebot19.jpg

And, more tellingly, here's an image file - the profile picture for the spam account:

myspacebot5.jpg

Look familiar?

It doesn't take long to figure out that these different text files are values the Spammers use to populate their fake profiles. But how do they get that data into the fake profiles in the first place?

It all begins with a domain that (for some unknown reason) was left with the Spamming tools sitting on the frontpage of the site:

myspacebot1.jpg

Thanks to a tip from my pal LoLo, I was able to grab the files and take a look inside. The domain hosting these files changes its content on a regular basis. Sometimes it serves you geotargetted adverts, other times it'll hand you an ad for a dating page (the picture of the girl with the laptop has been used on the majority of more recent spam that appears to come from the same group):

http://blog.spywareguide.com/upload/2008/01/myspacebot7-thumb.jpg
Click to Enlarge

And (thanks to the magic of Google cache) we can even see the domain hosting a fake Myspace page:

http://blog.spywareguide.com/upload/2008/01/myspacebot8-thumb.jpg
Click to Enlarge

The example above is overlaid with a redirect that takes you to more targeted adverts. For what it's worth, this particular kind of spam profile has been on Myspace since at least June 2007.

If we take a look inside the first zipfile, we see the following collection of files and folders:

http://blog.spywareguide.com/upload/2008/01/myspacebot11-thumb.jpg
Click to Enlarge

Exploring those folders a little deeper (and faced with numerous .cs files), renaming some of them to .txt files....

myspacebot16.jpg

....allows you to take a peek inside:

myspacebot17.jpg

Once again, we see references to the most common categories on a Myspace profile. As you're about to see, this is hardly a coincidence. From the second zipfile:

myspacebot12.jpg

"Myspace program.exe"? Shall we take a look inside the program before we fire it up?

http://blog.spywareguide.com/upload/2008/01/myspacebot13-thumb.jpg
Click to Enlarge

Well, would you look at that. Not only is the domain with the "Myspace" folder referenced in the code, but (more importantly) all of the individual .txt files that relate to "Birthday", "Books", "Movies", "Interests", "Heroes"....they're all there. Shall we put it all together?

myspacebot15.jpg

This is the tool that apparently makes it all happen. Note the entry box in the bottom right corner - from what we can gather, you enter the profile name you'd like for your Spam profile and hit Start - at which point, it checks out the information provided in the .txt files sitting on the domain, before attempting to contact another part of that website that allows it to create the spam profile on Myspace. At time of writing, the program doesn't seem to work due to a page missing on the domain hosting the spam profile information. Of course, they could bring the page back at any time, but for now, Myspace seems like it may be spared from more fake profiles selling ringtones, dating ads and free iPods.

For a couple of minutes, at least....

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

If you happen to be a musician on Myspace, you'd have seen the following update from Tom yesterday:

newmspacehck2.jpg

"we have been working on a new feature that allows bands with over 10,000 friends to automatically approve friend requests to save you some time."

Myspace just made it a walk in the park for Spammers to plaster the most popular pages on Myspace with pill adverts, dubious redirects, porn spam....whatever they feel like. Previously you had to be a friend (added manually) to leave a comment on someone's page:

newmspacehck4.jpg

Not anymore!

Remember the Myspace band hacks from a while ago? These are still taking place, with what looks like a few new malicious domains thrown into the mix (thanks to JetKing for the tip):

http://blog.spywareguide.com/upload/2008/01/newmspacehck1-thumb.jpg
Click to Enlarge

Note the ".cn" domain in the bottom left hand corner. This will of course redirect you to a fake media codec install:

http://blog.spywareguide.com/upload/2008/01/newmspacehck3-thumb.jpg
Click to Enlarge

Considering band pages are a huge target for Myspace hackers at the moment, this new policy - effectively a green light to as much profile spam as you can handle - allows links to this kind of redirect to be pasted all over music profiles with no need for the page owner to approve anything first.

Has this move been brought about by people working on behalf of the most popular artists complaining about the amount of friend requests they have to manually approve? Possible, given the content of a Bulletin sent out by a band (and passed onto me by a contact who received it):

"Title : THERE IS A GOD!!!!!!!!!

Incase you're wondering why I posted this, dear **** band's fans, adding 250-300+ people EVERY SINGLE DAY FOR THE PAST 4 YEARS, hasn't been my idea of a good time. So MySpace has FINALLY listened to the bands moans, mine included! I sent them an email about this late last year and by god, they listened!"

However, the cost of an automated process like this is to give people with malicious intent permission to post whatever they want, whenever they want - simply by starting the ball rolling with a friend request to anyone with more then 10,000 people on their friends list. Of course, some profiles will have comments moderation enabled - but if the people using the auto-add feature are using it to save time in the first place, why would they bother to wade through hundreds of moderated comments too?

Myspace are having enough problems as it is, recently - why add to them needlessly?

Whenever I see someone post "Hey, check this out" on a Myspace profile I just know it's not going to be good for your general wellbeing. Sure enough...

japanese_myspace0.jpg

....anybody wanting to "check this out" will probably be a bit annoyed once they've clicked the link (made to look like it leads you to a video). Why? Oh, I don't know....

japanese_myspace1.jpg

Whoops. Shall we have a look at my all new login screen, courtesy of a mischievous IFRAME?

http://blog.spywareguide.com/upload/2008/01/japanese_myspace2-thumb.jpg
Click to Enlarge

If you're hit by this, don't panic - simply scroll down to the bottom of the page and click the word "International" in the bottom right-hand corner:

japanese_myspace3.jpg

From there, it's just a case of setting the right geographical location for your homepage:

http://blog.spywareguide.com/upload/2008/01/japanese_myspace4-thumb.jpg

Everything should be back to normal once you've done this.

Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.

As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the less than amazing response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.

"Anyone got a contact for Myspace"?

Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.

Now, I had no clue what I was looking at but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:

"Domain Account Administrator, Myspace"

"CSR-Tools"

"Account: Retail"

"Billing Information".

These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.

Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.

I tried again this week, and this is what I sent them:

hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).

The screenshot appears to indicate your main CSR account
tools system was compromised in some way - can you confirm
what has happened here? I will be writing about this later
on today on my blog and would prefer to have the full
details as to the extent of what has (or has not!) happened here.

Thanks,
Chris

Can you guess what I got back?

Hello,

Below is a pretty comprehensive overview on blogs presented in an FAQ format. It should answer all the questions you have about blogs.

Q: What is a blog?

A: A 'blog' is an online journal. Blog is short for Weblog. In recent years, 'blogging' or posting an online journal has become very popular.

.....yes, thanks for the handy blogging tips(!)

I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):

Hello,

Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.

......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?

I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?

Little help, Myspace?

/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet.

I sent Myspace this:

"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"

Let me repost my message for a third time"

This is what I got back:


"Hello,

We do not offer that option as it is not available within MySpace."

....I think my brain hurts.

Looks like the Myspace spammers impersonating "Myspace Tom" have realised that calling their ringtone spamming profiles "Tom Anderson" is the quickest way to have their fake profiles deleted.

With that in mind, they decided to change the names given to the profiles.

Unfortunately for them, they kind of messed it up.....

fake_tom_girl.jpg

.....nope.

fake_tom_ringtone22.jpg

As you might have guessed, these profiles that are suddenly springing up all over Myspace are 100% fake. It seems Myspace are aware of these, and are taking actions to have them deleted.

Pages

About this Archive

This page is a archive of entries in the Myspace category from January 2008.

Myspace: December 2007 is the previous archive.

Myspace: February 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.