Recently in Social Networking Category

You might want to keep an eye on your honesty levels over the next few weeks where Facebook is concerned - sometimes trying to find out more than you're entitled to will bite you on the backside as we're about to see.

You may or may not be familiar with the "Honesty Box" application on Facebook - like similar features on Myspace etc, it allows people to leave entirely anonymous messages on your Facebook page to the tune of "I love you" or "You're a big stinky head" leading to hours of fun for all the family.

It seems a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, promising to "reveal all" with regards who called them an idiot at 2 in the morning:


The program claims it will strip out the hidden data from your honesty box, then convert it into a name so you know who left the message. Of course, it's all nonsense; the program is bound with a random Keylogger / Trojan / Virus of the attackers choosing, which means your day could take a very random and unfortunate turn depending on what they have in store for you.

Fakey fakey, originally uploaded by Paperghost.

 This could be a perfect setup for scammers to phish accounts, then use those compromised accounts to spam the application onto more Facebook walls where new victims can be attacted by the lure of "really secret stuff".

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer "Hacked Facebook and Photobucket accounts" for a price:


The site the image links to is called...well, see for yourself.

Wait...what?, originally uploaded by Paperghost.

Yes, the site is actually called "" and claims to offer up an endless series of images from "hacked" accounts including Myspace, Photobucket and Facebook in return for a monthly fee. Or, as they like to put it:

As porn site marketing campaigns go this one is certainly, uh, different.

"Every day we prowl Facebook, Photobucket, Myspace and a ton of others....then we let our team of hackers do their thing"...

Account hacked!, originally uploaded by Paperghost.

Just to force the message home, hovering over any image will pop up some text on top of the picture:


Just when you think they can't possibly get any creepier or salacious, the final image at the bottom of the first set actually looks like this:

Extreme, originally uploaded by Paperghost

...yep, we'll throw in dubious claims of hacked accounts / stolen images AND we'll lob in a blood splattered "Too extreme" banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Are the images actually stolen? It's doubtful; in all probability the bulk of the content (if not all of it) is made up of stock pornographic content. But simply claiming they've been plundering images from supposedly hacked accounts on Facebook, Myspace and all the rest of them for financial gain blows my mind, is an amazingly dubious piece of non-ethical marketing and is surely a fast track to a day in court.

You would hope...
(Huge thanks to Baz of, who provided the screenshots, translations and helped me to make the connection between a number of rogue blogs I'd been looking at recently and a particularly nasty Vkontakte scam that I had no idea existed until yesterday).

Now that we've got that bit out of the way, your first question may well be "What is Vkontakte"?

Well, it's billed as the Russian Facebook and seems to be pretty popular (45 million users as of October 09). With that amount of users, it seems that the usual "build it, and they will come" rule applies to scammers, phishers and malware authors as we shall see.

What's Happening?

You know how on Facebook you get those wonderful Koobface worms that post links to fake videos, and if you run the file you end up with infections galore and a bunch of messages posted to the walls of your friends?

This is a similar scenario, with messages (which may or may not be automated) posted to Vkontakte pages which lead to malicious downloads - many of which will do horrible things to your computer if given the chance including account theft, Trojans and desktop lockouts.

Here is a sample message posted to a typical Vkontakte page:

Vkontakte Fake Exploit Message, originally uploaded by Paperghost.

It says that there is a "mega hole" in Vkontakte which allows you to see private profiles. Click the link, and you're redirected to one of a chain of Blogspot blogs which look like this:

Vkontakte Scam Blog, originally uploaded by Paperghost.

Here is the translation, courtesy of my new pal Baz:

Page title: Mega hole in Vkontakte!

How to get full access to a private Vkontakte profile and how to defend your profile

This hack will be fixed at any moment, so use it before it is too late!

Everything is very simple.

1. Download the program <link> <mirror>

2. Run it

3. Enter the id of the profile you want to get access to.

Finding the id is very simple, just go to the persons (profile) page and at the top there will be something that looks like:******

4. Afterwards, you will have full access to the profile of the person whose id you have entered.

If you have any doubts, just check the program with antivirus and convince yourself that everything is in order.

If the first program didn't work, here is the second: <link>

Depending on the payload, you may end up with Trojans, Rootkits, worms and / or other assorted junk deposited on your PC with a strong emphasis on SMS scamming. We'll take a look at some of those momentarily, but I should mention a particular spamming technique that Baz spotted which seems to be getting past whatever spam filters Vkontakte has in place.

On Facebook you've probably seen the graffiti wall application, which allows you to draw an endless series of humorous body parts on the wall of your choice.  Vkontakte has a similar (if not identical) application, and it looks like the scammers are pasting their "massive hole" messages onto that which neatly sidesteps spam filters.

Vkontakte Graffiti Spam, originally uploaded by Paperghost.

"ahahahaha!!! s*it!! I got access to your profile via"

Pretty smart.

What do the files do?

Vkontakte Scam Infection Files, originally uploaded by Paperghost.

Here's a bunch of scan results, feel free to browse through and be glad none of them were dropped onto your computer. In general, the files claim to attempt contacting the Vkontakte servers, then "fail" with a nice fake error message; meanwhile ( know the drill...) a wide variety of junk is inserted onto the PC behind the scenes and your login vanishes into the wide blue yonder.

The messages posted to the Vkontakte site may or may not be automated; none of the files tested display any sign of worm related shenanigans. A big part of this scam is a phishy Hosts file hijack:

Vkontakte Scam Hosts file hijack, originally uploaded by Paperghost.

Something to note where the Hosts file hijack is concerned - they'll swipe your login details and potentially direct you to the following fake login, complete with SMS activation code:

Vkontakte SMS Message, originally uploaded by Paperghost.

Yes, they'll take your login and your money too. However, I want to wrap up with this particularly eye watering file:

Vkontakte SMS Lockout File, originally uploaded by Paperghost.

"Activate"? Whatever does it activate, I hear you cry? Well...

...ouch. It claims you're running an unlicensed version of Windows, and won't give you your desktop back until you cough up a random amount of cash via SMS.

All in all, a nasty collection of exploits and scammery - if you know anyone who uses Vkontakte, feel free to give them a heads up and avoid any random messages promising access to secret profiles / images / leprechauns.
Remember these guys?

Well, they're back on Twitter, and they've ditched random pictures of peoples faces - instead, they now use cute little bird graphics, presumably to make you think they're somehow official or related to Twitter itself. Examples...





There's a lot of these profiles around at the moment - ignore / block the lot of them and hope Twitter gets a grip on this fresh wave of spammers...

/ Update: According to comments left on the blog, the images are the new default "auto image" for profiles that don't have a picture. However, the same rule applies: Anyone promoting "Google hiring" messages should be blocked / reported. I've also replied to criticism of this entry here.

Spambot Fail

| | Comments (0)


Hat-tip to Kevin Church for spotting the Bot!
There's an awful lot of people waking up today to find this view greeting them in their Twitter followers list:


Clicking into any of the profiles reveals them to be entirely blank - there are no Twitter messages posted on any of them. There is some text poking out from the profile picture, however:


Click into the profile image and you'll see this...


Pasting text messages promoting IM webcam bots in the profile image (instead of lots of fake Twitter messages posted all over the place) seems to be the latest way to try and avoid the "obvious spammer banhammer".

I don't think it's going to work...
When you're looking into dubious activities online, you don't always catch bad guys in the act - every now and again, you get there a little too late and have to put the pieces together as best you can.

I'd heard rumblings of people using Facebook application pages in weird and not so wonderful ways, but hadn't actually seen it in action. Digging around, I was somewhat surprised to see the following greeting me on a Facebook application page for something called "Customer Dispute":

Click to Enlarge

As you can see, something is very wrong here - there's a valid Facebook URL:

...but instead of a standard Facebook application install screen under the URL as you'd expect, the entire content is taken up by a "Page not found" message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).

A quick Google for this "Customer Dispute" page and from a hacking forum we see...


..."New form of Facebook phishing"? Oh dear.

It seems someone set up an application developer account with Facebook, placed a fake "customer dispute page" onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it.

I don't know about you, but people are always complaining about something on Facebook - throw in a fake "dispute" page onto an actual Facebook URL and you're probably going to see stolen accounts roll in 24/7.

I was dying to know exactly what form the fake Customer Dispute page took, but the person responsible had obviously developed cold feet and pulled it. We notified both Ripway and Facebook, and also asked if they could enlighten us exactly what the content of the fake page was before whoever uploaded it took it down.

Ripway quickly closed the account of the uploader:


The thread on the hacking forum magically vanished, presumably because the creator didn't want evidence lying around the net tying it back to him:


Facebook (to their credit) reacted quickly - the dubious application URL now looks like this, which is a genuine "not found" page from Facebook with links that direct you back to the main site:

Click to Enlarge

.....a lot better than "phony content goes here".

I'm not naive enough to have actually expected either company to get back to me, but it would have been useful in knowing what we're dealing with here. While I can appreciate Facebook aren't going to go yelling about this scam from the rooftops if they can help it, they surely have a responsibility to at least warn their users that people are doing something very dubious with Application pages. Of course, it makes it harder for myself to warn you with specifics with regards the exact content of the page that was removed too.

At this point, all I can say is that

1) It seems very likely (based on both the comments posted to that hacking forum and elsewhere) that it was indeed some kind of phony customer dispute phish plastered onto the application page. The exact form that this page took is currently up for debate.

2) If one person has done this, it's entirely possible others have - with that in mind, if you see an

URL, but NO application - then be wary, especially if it's asking you to enter login details (Facebook credentials would, of course, be the obvious target). Otherwise you might end up with a clear case of Two Point Doh...
Fake Retweets aren't particularly new, but you might not have seen them before. In a nutshell, there is nothing stopping you on Twitter from placing "RT" at the start of a message then putting in whatever user you feel like after it. For example, if someone wanted to make it look like I was on a drunken insult rampage:


Of course, I never said that - and for a follower of mine to see this message, they'd have to be actively looking for "@paperghost" messages in the search feature so the chances of being horribly offended are slight. However, we can step it up a notch (with the permission of Rik Ferguson who agreed to let me use him for this next bout of fakery):


...whoops. If I'm not someone who bothers to check the authenticity of a Twitter message, then I'm now chasing Rik Ferguson with a baseball bat under the misguided notion that he's smacktalking my mother (actually, he's taller than me so I'll probably just settle for pulling angry faces at the screen).

With that in mind, I saw this pop up in my Twitter feed earlier today:

fakeghostrt1.gif you probably guessed, I didn't say that. Neither did any of these people:

Click to Enlarge

What's the idea? Well, take a look at the links in the above screenshot. The profile is designed to lure Twitter users in with fake retweets (either the person being "retweeted" themselves, or users who follow mentions of that individual and are curious what they're supposedly talking about) and then hope they click one of the many spam / promotion links.

The fake retweets are quite crude, but with a little tweaking they could perhaps make the fake retweets more controversial or include a URL link with the fake message which would probably increase the clickthrough rate.

Remember - if something looks a little odd about a message sent out on Twitter from a contact, check with them that it's the real deal first...

I regularly see a lot of extremely dubious and rather slimy techniques deployed to get end-users to run horrible things or fall for scams. Generally, the targets tend to be the technologically inept or granny, sitting in the corner. See granny? Sure you do, she's right over there replying to the Third King of Nigeria and helping him out with his cash relocation problem.

However, I've come across a scam rapidly spreading across numerous underground forums and IRC channels that is truly one of the scummiest tactics I've seen in some time.

How bad? Allow the following screenshot to spell it out for you.


Ladies and Gentlemen, allow me to present you with the winner of the Lowest Tactic Used in 2009 award. Do your kids play Neopets? If they do, you might want to read this and gently warn them of the dangers.

Neopets: What is it?

Neopets, originally uploaded by Paperghost.

From Wikipedia:

Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia. Visitors can create an account and take care of up to four virtual pets, buying them food, toys, clothes, and other accessories using a virtual currency called Neopoints. Neopoints can be earned through playing games, investing in the game's stock market, trading, and winning contests such as customization and art. Neopets also operates a pay-to-play version known as Neopets Premium, which offers additional features and benefits for a monthly fee of $7.99 (USD).

The scam is based around one of the core mechanics of Neopets: kids love rare items and things that nobody else has. Neopets has magical paintbrushes - stay with me on this - and they're rather hard to get hold of nowadays. As an example of that, here's a petition posted in 2004(!) that people are still posting comments to. In addition, here's a list of current prices - now consider a newcomer to Neopets starts with the rather paltry sum of 1000 Neopoints, and you can see why there's a desire for these items.

This is where we target some 12 year olds with social engineering. Oh dear...

The Method

Neopets is effectively social networking for younger kids and some teenagers. Or, as someone on a hacking forum put it while discussing this particular attack,


...ouch. No surprise, then, that the site has many communal areas where people can chat, hang out, send each other messages and see what's going on. Our hackers will move to the trading areas, where kids can post requests for items they'd like to buy, sell or trade. Then it's just a case of hunting out posts like this....


...and that child is, officially, doomed. Asking for paintbrushes on the trading areas of Neopets will mean that they're likely to be the recipient of a Neomail (private messaging on the Neopets website) that looks like this:

Neopets Scam, originally uploaded by Paperghost.

From there, it's just a case of said child visiting the external link, downloading a file and being keylogged into infinity and beyond. Then the fun really begins.


Wave goodbye to your rare items, kids - and you didn't want your XBox Live account (that potentially has credit card details attached to it) anymore either, did you? The attackers then use the familiar tactic of taking a previously trusted source and using it to attack their friends & other newcomers to the site. Alongside hanging out in the handily labeled "Newbies" section and spamming messages, they'll also post fake "It worked" messages from compromised accounts to the forums of threads started by the attacker, much like people do on Youtube to give the impression that fake programs actually work (scroll down to "positive comments").

Additionally, the PC is quite possibly used by other people, or indeed belongs to someone else altogether....


...which would be, as you can imagine, a "bad thing".

Shall we see some of the reaction to this attack method from the peanut gallery?


"Stupid 12 year olds" are apparently in for a smackdown.


The above individual is clearly excited by this.


...well, if you're going to intentionally target young kids you might as well go the whole hog and dump them into a Botnet too. The messages aren't just being posted and sent by private message on the Neopets site - they're also turning up on third party websites too.

Click to Enlarge

Interestingly, sites such as Neopets are accessed in corporate environments too - FaceTime collects live traffic data from commercially deployed Unified Security Gateway appliances at more than 80 mid to large enterprises worldwide that have opted into this program, representing the daily Web-based activities of more than 100,000 corporate workers.

During the past week, these corporate workers have accessed 99 different virtual worlds from their work computers, and at least half of those are targeted at children. Perhaps the kids are asking their parents to check on their Neopets at work or see if the latest friend request on Myspace has been approved?

At any rate, let's hope they're wary of too-good-to-be-true paintbrush deals. Whether at home or in the workplace, "offers" such as the ones above should be avoided and anyone sending your child messages about paintbrush creators should report them here (you'll need to be logged in to access that URL).

I never thought I'd have to advise young children to stay frosty, but there you go...

More KoobFace

| | Comments (0)
There's a link currently in circulation that does pretty much what you'd expect it to - drop you onto a site hoping you'll install the executable.

The site in question is

And going there redirects you to

which looks like this:

Click to Enlarge

This is, of course, one of those fake Youtube pages called "Yuotube". Avoid, steer clear, run away...


About this Archive

This page is a archive of recent entries in the Social Networking category.

Research is the previous category.

Spam is the next category.

Find recent content on the main index or look in the archives to find all content.