SpywareGuide Greynets Blog

Hackers Target Neopets Users

Tue, 30 Jun 2009 07:30:06 +0000

I regularly see a lot of extremely dubious and rather slimy techniques deployed to get end-users to run horrible things or fall for scams. Generally, the targets tend to be the technologically inept or granny, sitting in the corner. See granny? Sure you do, she's right over there replying to the Third King of Nigeria and helping him out with his cash relocation problem.

However, I've come across a scam rapidly spreading across numerous underground forums and IRC channels that is truly one of the scummiest tactics I've seen in some time.

How bad? Allow the following screenshot to spell it out for you.

Ladies and Gentlemen, allow me to present you with the winner of the Lowest Tactic Used in 2009 award. Do your kids play Neopets? If they do, you might want to read this and gently warn them of the dangers.

Neopets: What is it?

Neopets, originally uploaded by Paperghost.

From Wikipedia:

Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia. Visitors can create an account and take care of up to four virtual pets, buying them food, toys, clothes, and other accessories using a virtual currency called Neopoints. Neopoints can be earned through playing games, investing in the game's stock market, trading, and winning contests such as customization and art. Neopets also operates a pay-to-play version known as Neopets Premium, which offers additional features and benefits for a monthly fee of $7.99 (USD).

The scam is based around one of the core mechanics of Neopets: kids love rare items and things that nobody else has. Neopets has magical paintbrushes - stay with me on this - and they're rather hard to get hold of nowadays. As an example of that, here's a petition posted in 2004(!) that people are still posting comments to. In addition, here's a list of current prices - now consider a newcomer to Neopets starts with the rather paltry sum of 1000 Neopoints, and you can see why there's a desire for these items.

This is where we target some 12 year olds with social engineering. Oh dear...

The Method

Neopets is effectively social networking for younger kids and some teenagers. Or, as someone on a hacking forum put it while discussing this particular attack,

...ouch. No surprise, then, that the site has many communal areas where people can chat, hang out, send each other messages and see what's going on. Our hackers will move to the trading areas, where kids can post requests for items they'd like to buy, sell or trade. Then it's just a case of hunting out posts like this....

...and that child is, officially, doomed. Asking for paintbrushes on the trading areas of Neopets will mean that they're likely to be the recipient of a Neomail (private messaging on the Neopets website) that looks like this:

Neopets Scam, originally uploaded by Paperghost.

From there, it's just a case of said child visiting the external link, downloading a file and being keylogged into infinity and beyond. Then the fun really begins.

Wave goodbye to your rare items, kids - and you didn't want your XBox Live account (that potentially has credit card details attached to it) anymore either, did you? The attackers then use the familiar tactic of taking a previously trusted source and using it to attack their friends & other newcomers to the site. Alongside hanging out in the handily labeled "Newbies" section and spamming messages, they'll also post fake "It worked" messages from compromised accounts to the forums of threads started by the attacker, much like people do on Youtube to give the impression that fake programs actually work (scroll down to "positive comments").

Additionally, the PC is quite possibly used by other people, or indeed belongs to someone else altogether....

...which would be, as you can imagine, a "bad thing".

Shall we see some of the reaction to this attack method from the peanut gallery?

"Stupid 12 year olds" are apparently in for a smackdown.

The above individual is clearly excited by this.

...well, if you're going to intentionally target young kids you might as well go the whole hog and dump them into a Botnet too. The messages aren't just being posted and sent by private message on the Neopets site - they're also turning up on third party websites too.

Click to Enlarge

Interestingly, sites such as Neopets are accessed in corporate environments too - FaceTime collects live traffic data from commercially deployed Unified Security Gateway appliances at more than 80 mid to large enterprises worldwide that have opted into this program, representing the daily Web-based activities of more than 100,000 corporate workers.

During the past week, these corporate workers have accessed 99 different virtual worlds from their work computers, and at least half of those are targeted at children. Perhaps the kids are asking their parents to check on their Neopets at work or see if the latest friend request on Myspace has been approved?

At any rate, let's hope they're wary of too-good-to-be-true paintbrush deals. Whether at home or in the workplace, "offers" such as the ones above should be avoided and anyone sending your child messages about paintbrush creators should report them here (you'll need to be logged in to access that URL).

I never thought I'd have to advise young children to stay frosty, but there you go...

Pay Per Click Autoclickers

Wed, 24 Jun 2009 13:17:42 +0000

There's quite a few autoclickers around at the moment (programs that will attempt to cheat pay per click networks) - thankfully the majority seem to be fairly unreliable. Like this one:

Click to Enlarge

A custom built web browser designed with the affiliate clickfrauder in mind, it gives everything the budding cheat could want.

Apart from a working program, that is. But hey, error messages can be fun too!

This next one is a little slicker, however, and doesn't seem to crash and burn once you fire it up.

Click to Enlarge

You want options? You got options! Select who you'd like to defraud today:

Decide which "clicking model" to roll with:

Is it proxy time yet? It is? Oh dear.

You know, I'd be willing to bet money this thing has the ability to fake browsers to go with your phoney clicks...

...sigh. And let's not forget the obligatory "About" ramble, which seems rather down where the whole "use of this program by PTC owners" idea is concerned.

I wonder why...

Malware Pushers Jump On #Neda Twitter Tag

Mon, 22 Jun 2009 18:13:11 +0000

You've probably already seen what happened to Neda - it was inevitable that people with dubious intentions would seize upon this event as a cheap way to make some money.

Sure enough, we're seeing a fair few links starting to go out on Twitter that mention Neda, which (if clicked) will take the end-user to fake Codec installers. In other words, this...

...will lead to this:

Click to Enlarge

The danger, of course, is that with this being such an emotive issue many people might simply assume the links are genuinely about something and retweet them without checking first. Thankfully, Bit.ly seem to be catching a lot of these links:

Click to Enlarge

I had no idea they did that...

Iran: A Few DDoS Websites

Mon, 22 Jun 2009 11:48:53 +0000

Here's a few screenshots of sites launching DDoS attacks on various official Iranian Government websites. The first attempts multiple requests as soon as you open it:

The second is a little slicker:

Click to Enlarge

...and lets you push a button for your target of choice. There's obviously quite a few of these sites springing up at the moment (and it would be premature to expect the number to decrease), but I do wonder if lots and lots of DDoS attacks winging their way to Iran could actually make it more difficult for people on the ground to get word out on what's going on over there...

Pushing The Self Destruct Button

Mon, 22 Jun 2009 09:50:03 +0000

Here's an EMail bombing program currently being pimped in the digital underground.

Sure, it sounds like a cool way to annoy people - enter their address, and watch them drown in a sea of identikit mail bombs.

However - if you try to download the program, you'll be presented with this:

That's right - you have to register on a forum.

Think about that for a second. You just gave some random guy off the Internet - the creator of a Mail Bombing program - your EMail address.

I mean, there's lemmings and there's cliffs, but there's also running into a hail of Tommy Gun fire screaming DO IT, DO IT NOW.

This is one of those moments.

Evolution Of A Moneymaking Tactic

Fri, 19 Jun 2009 11:44:07 +0000

Since January, I've been following a particular kind of moneymaking scheme with interest. Originally, you paid a "small shipping fee" to have information on Government loans (that you could get for free anyway) sent to your door - then finding yourself being billed every month. From there, it evolved into coughing up a shipping fee in return for some magical "make money from Google" program, but the basic idea remained the same.

Shall we take a look how this one has progressed?

First, they presented you with the Obama Stimulus Program.

Click to Enlarge

Then they wheeled out a moneymaking man of mystery (that would be "Kevin Hoeffer") who couldn't decide if he was making a fortune from Government Grants or Google.

Click to Enlarge

To go with the fake blogs, fake blog comments were thrown into the mix that actually made it a lot easier to keep track of all the fake Kevins. Or Jeffs. Or...whatever his name is / was.

Kevin Hoeffer recently returned, complete with what must have been some pretty extensive plastic surgery and a brand new website pimping his "Two Step Formula". Check out his "new ride":

Click to Enlarge

Someone better tell him to call the police, because Steve Pickens has apparently stolen his car.

Click to Enlarge

...and on it goes.

The most recent version was highligted by Kevin Poulsen of Wired fame. A good portion of the URLs mentioned in this post now link to the new site, which is designed to look like a genuine news website:

Live at 5, this site is a fake, originally uploaded by Paperghost.

I'm still trying to get my hands on the URLs involved (and I'll update the post as I get them), but the one cited by Kevin is

http://news5alert.com

and there's also another one (called the "Bakersfield Gazette News") at

bakersfieldgazette.com

All these sites currently lead to something called the "Cash Secret Club" (ooh!) which uses a fake countdown timer and the panic inducing tactic of claiming they only have "42 slots open" to get you to part with your cash.

Cash Secret Club, originally uploaded by Paperghost.

As you probably guessed, the URL for that site is

cashsecretclub.com

with another one located at

google-money-master.com

so feel free to add them all to your blocklists, unless the thought of paying $1.00 for shipping...."something"....to your home address while potentially having billing issues (to the tune of $79.95) like this person did is an appealing one.

Which it isn't. And that's the truth whether your name is Kevin, Jeff or Joey Joe Joe Jones Junior Shabadoo...

iPhone Twitter Messages Lead To Male Enhancement Spam

Thu, 18 Jun 2009 15:02:28 +0000

Given the furore over the new iPhone 3.0 OS hitting recently, it's no surprise that spammers are taking advantage of this on Twitter. Already, we've seen iPhone spam leading to high definition TV offers, and sure enough there's a fresh campaign now doing the rounds.

If you see something like this:

...then it's a fair bet clicking the link will take you to a "male enhancement" website complete with pictures of men's bits that you'd probably rather not see in work or whatever:

Click to Enlarge

The URL in question is

enlargenew.com

Interestingly, aside from the usual deluge of spam profiles pimping the links, we've heard there are regular Twitter users complaining about being "hacked" and sending these same messages. In all probability, there's a phishing aspect to this particular campaign and that's why people are seeing these messages go out from their own accounts.

As a final note, the title of the spam appears to be taken from this article on MobileCrunch.

Be careful what you click...

"Obama has just been killed" - 100% Incorrect

Thu, 18 Jun 2009 13:07:20 +0000

A few days ago, I wrote about a cancer support blog:

xtrememillionsuk.blogspot.com

...that kept popping up in Twitter links, always as a result of outrageously OTT spam messages. I did wonder at the time if the site owner had simply purchased an advertisement package that (unknown to them) involved mass Bot spam. Besides the possibility of potential Google Ad click fraud (and it's doubtful random visitors to a random cancer support blog would suddenly feel compelled to start clicking every Google ad in sight) I couldn't really work out the angle, although the URL clearly has a spammish twang to it.

Well, Rik Ferguson of Trend Micro went and double checked the site the other day and came back with some fresh information. I don't recall seeing this at the time so perhaps it's only just "gone live", so to speak. Or maybe I just missed it, who knows. Anyway...

Here's some more Twitter spam, with the now familiar OTT headlines:

Click to Enlarge

"Obama has just been killed", "Mousavi hilton has cancer" and "Stephen Colbert hit a woman" are all going to drag in the clicks from curious onlookers. They all take you to - you guessed it - the cancer support blog.

Cue Rik Ferguson, who found that at least some of the shortened URLs are apparently going through Tweetbucks and deposit you at the cancer blog via:

links.tweetbucks.com/links/redirector?siteID=rQ3yu4kdYcAXB7gbrhmoRSxaO&linkUID=f1ca20c1-1275-44be-94db-94f4b98b135a&short=bit.ly&href=http%3A%2F%2Fxtrememillionsuk.blogspot.com%2F

What is Tweetbucks?

"When people click your TweetBucks shortened links, we convert them to affiliate-enabled links by referencing our database of 1000's of online merchant programs. Every time your recommendation results in a purchase, the online merchant pays a commission. So tell your followers about the products and services you like. The more you recommend, the more you can earn."

It seems someone is trying to earn some cash from dubious links on Twitter at Tweetbucks expense. From this page on Adbrite, we can see the cancer blog gets a fair amount of traffic at present:

Pageviews per day [?] : Over 2,800
Unique users per day [?] : Over 2,800

...so there is at least some potential for raking in a bit of cash with this one. We'll be notifying the various services who have adverts / PPC services on the site and see if we can reduce the amount of "dead world leader" spam currently clogging up Twitter. Thanks to Rik for the additional information!

The Valve Verification Center

Wed, 17 Jun 2009 19:54:09 +0000

Here we have yet another Steam Phish, this one involving some forum based scammery. Our phishing friend sets up a forum account on the official Steam forums, then sends random people a "scary" message like this:

Click to Enlarge

Assuming the victim is suitably terrified by dire warnings of account hackings, they'll promptly jump over to

valve-ipfix.tk

which is a redirection URL hiding the "real" URL at

steampowerness1.awardspace.us

...and the victim will then enter their Steam login credentials to the phisher.

Here it is in all its phishy glory:

Click to Enlarge

Avoid.

Adding Insult To Injury

Wed, 17 Jun 2009 10:43:09 +0000

There's quite a few sites being hacked at the moment, with the hacked pages redirecting to the following "calling card":

Click to Enlarge

.....ouch.

Yes, I Would Like To Hack Myself

Tue, 16 Jun 2009 21:13:25 +0000

Step 1: Obtain a wonderfully cool looking "Gmail Hacker" program.

Step 2: Enter the GMail address of your intended victim, without stopping to wonder why the application is asking for YOUR login details too:

Step 3: Find yourself dazzled by flashing lights and progress bars after you hit the "Hack Them" button.

...ooh. Progress bars.

Step 4: Pull a sad face as your wonderful hacking program informs you that there "was a problem".

Man, I didn't see that one coming at all.

Step 5: Take up astral projection, float over to the program creators house, wind back time (hey, if you can project yourself in an astral fashion you've probably mastered the art of time travel too) and ask yourself why they're putting their own GMail details into the building tool that creates the GMail hacking program you'll soon be playing with:

Step 6: Wind time forward a bit then check out the latest EMail he's just been sent. Amazingly enough, it came from the hacking program you tried to run earlier. Not so amazingly, it contains your OWN login details.

Congratulations, you just hacked yourself.

Don't you feel so much better now?

Pastebin Botnets?

Mon, 15 Jun 2009 10:03:09 +0000

I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.

Click to Enlarge

That's for another writeup, but at least we now have a decent idea of Pastebins and how easy they make things where rapid sharing /storage of data is concerned.

What does this have to do with Botnets? Well, over the past week or two I've seen a piece of code floating around on various forums that (according to the author) has the potential to be used in conjunction with a Pastebin to issue commands to a Botnet. I'm not aware of pastebins being used for issuing Botnet commands (though of course that doesn't necessarily mean it's a new technique) and was curious to see if this is indeed something relatively new or a method that's been around for a while.

Why is a Pastebin Botnet a good idea for a Botnet owner?

In a nutshell, the Botnet owner can post Botnet drone commands quickly and without fuss to a Pastebin page (your "Botnet Hub"), and the drones will carry out those commands.

Web based Botnets have been all the rage for some time, as they're usually harder to detect than the rather obvious IRC traffic of old. There are some other advantages, too - Pastebins are plentiful and the main sites (such as Pastebin.com) are rarely offline.

In addition to this, you don't have to waste time setting up webpages & hosting accounts while hoping your host doesn't shut you down - it's simply a case of cutting and pasting text onto a Pastebin. If your page dies, it takes seconds to start again (as a sidenote, there's an interesting recent post here regarding the use of RSS feeds in conjunction with Pastebins to issue commands to Botnets from changing locations which is pretty smart).

As you can see then, Pastebins appear to be a bit of a hot topic for people discussing Botnets at the moment and a clever spin on web based Botnets in general. So how does it work?

Ye Olde Disclaimer

Although the idea behind it is sound, it seems the code doing the rounds on various forums (written in Perl) is "proof of concept" and would need some work doing to it to unleash a fully formed Botnet. Despite this, according to the creator it can already read pastebin posts for text (which are then used to issue commands to the Bots), post in the previously mentioned "Botnet hub", post in its own individual private pastebin, and get the latest post by the botnet owner.

Here's a few screenshots of said code:

Click to Enlarge

Click to Enlarge

The idea of using Pastebins in this way is a clever one - I've seen people post Bot drone code (which needs compiling in an external application) to Pastebin pages for "storage" many times (in much the same way people post "dox" to pages for safe keeping), but this is the first time I can remember seeing someone thinking about using a Pastebin itself to act as a kind of Command & Control center for a Botnet.

If you've seen this technique before, feel free to share your thoughts in the comments - it's certainly one of the more interesting Botnet ideas I've seen in a while.

More KoobFace

Fri, 12 Jun 2009 17:41:22 +0000

There's a link currently in circulation that does pretty much what you'd expect it to - drop you onto a site hoping you'll install the executable.

The site in question is

eurostandart.biz/publicdvd/

And going there redirects you to

86.20.21.129

which looks like this:

Click to Enlarge

This is, of course, one of those fake Youtube pages called "Yuotube". Avoid, steer clear, run away...

Personalised 419 Scamming On Skype

Fri, 12 Jun 2009 13:25:24 +0000

A friend of mine had this "exchange" on Skype a few days ago:

[10:36:19 AM] SHAHEEN: FROM: AHMED.S.
EMAIL: shhnahmed5@gmail.com

Hello [NAME REMOVED],

I have tried to reach you on Skype phone, but your line was busy, so I decided to write you this message. I have been in search of someone with this last name "[NAME REMOVED]", so when I saw you online, I was pushed to contact you and see how best we can assist each other. I am AHMED.S, a Bank Officer here in U. A. E. I believe it is the wish of God for me to come across you now. I am having an important business discussion I wish to share with you which I believe will interest you, because it is in connection with your last name and you are going to benefit from it.

One Late Michael [NAME REMOVED], a citizen of your country had a fixed deposit with my bank in 2003 for 60 calendar months, valued at US$26,700,000.00 (Twenty Six Million, Seven Hundred Thousand US Dollars) the due date for this deposit contract was last 22nd of February 2008. Sadly Michael was among the death victims in   the May 26 2006 Earthquake disaster in Jawa, Indonesia that killed over 5,000 people. He was in Indonesia on a business trip and that was how he met his   end. My bank management is yet to know about his death, I knew about it because he was my friend and I am his account officer. Michael did not mention any   Next of Kin/ Heir when the account was opened, and he was not married and no children.

Last week my Bank Management requested that Michael should give instructions on what to do about his funds, if to renew the contract. I know this will happen and that is why I have been looking for a means to handle the   situation, because if my Bank Directors happens to know that Michael is dead and do not have any Heir, they will take the funds for their personal use, so I don't want such to happen. That was why when I saw your last name I was happy and I am now seeking your co-operation to present you as Next of Kin/ Heir to   the account, since you have the same last name with him and my bank head quarters will release the account to you. There is no risk involved; the transaction   will be executed under a legitimate arrangement that will protect you from any breach of law.

It is better that we claim the money, than allowing the Bank Directors to take it, they are rich already. I am not a greedy person, so I am suggesting we   share the funds equal, 50/50% to both parties, my share will assist me to start my own company which has been my dream. Let me know your mind on this and   please do treat this information as TOP SECRET. We shall go over the details once I receive your urgent response strictly through my personal email address, shhnahmed5@gmail.com

We can as well discuss this on phone; let me know when you will be available to speak with me on Skype. Have a nice day and God bless. Anticipating your communication.

AHMED.S.
shhnahmed5@gmail.com

One to avoid...

"BNP Leader Shot" Twitter Spamrun Leads To Cancer Support Blog(!)

Tue, 09 Jun 2009 14:04:45 +0000

Well, this is something you don't see everyday.

There's a fair amount of spambot profiles clogging up Twitter at the moment, all of which look a little like this and claim a British National Party leader has been shot and killed:

There's quite a few of them about, check out the Twitter Trends page.

Bizarrely, all of them take you to what looks like a genuine cancer support blog.

Click to Enlarge

I'd like to think the owner of such a site wouldn't be crazy enough to attempt to drive traffic using spambots in this very surreal fashion, so I can only hope they saw a "promote your site" package and it wasn't quite what they were expecting...