The Numbers Game

I saw a link somewhere to this article on the Symantec Security Response Blog, regarding a wave of Myspace phish pages using a .cn domain. Now, I've read it a few times and I'm still puzzled.

Why are you puzzled, Mr Ghost I hear you cry? Well, check this out:

"Symantec has recently observed millions of user profiles of a certain social networking site carrying malicious links."

....millions? At any rate, the screenshot of the phish link keeps bugging me:


Some things to note.

1. The blog entry doesn't actually SAY "Myspace" - they say "a certain social networking site", like they're not allowed to say their name or something. However, they leave in the fake Myspace URL (minus the numbers that make up the fake domain) which sort of gives the game away as to what site is the target here, right? I mean, why would you find something dubious that targets a site but then not want to mention what site is under attack? Not really important, but still - niggling.

2. They blanked out a part in the first sentence, which (at first glance) makes it look like they blanked out someones name or something. However, as these phish links are a dime a dozen at present, I can tell you that it actually says "Myspace". Again with the removal of the Myspace word.

Wha?

3. Millions of profiles are apparently carrying this phish link. Well, it only took a few minutes to work out what the link is - here's one of many that I found earlier today:

This is a well known Myspace phish domain, that typically posted up either the above message, or a handful of others (NUDE PICS ON HER PROFILE!!! for example) over a few days at the end of January / start of February (as you can see from the dates in the two screenies above). The bad guys behind this scam also use a bunch of other URLs, which we'll look at later.

Anyway, this is where it gets weird. They say they've seen "millions of malicious links" posted to Myspace, and give the domain in their screenshot (which I'm going to guess is the 91878802.cn domain) as a single example.

Yet their Myspace search image seems to show just over five million phish results from a Myspace search which is apparently searching on one single phish URL:

For some bizarre reason, they've cut the end of the search box off so you can't see what they entered. If (for example) I type in the full fake phish domain that's mentioned in my own screenshot, I get this - a less than impressive total of one result returned. So, going back and simply searching on "91878802.cn" is a little more impressive - 289,000 results. Still a long way off five million, though. Even if I allow myself some rampant generosity and throw in all the other domains these guys use, I still don't get anywhere near "millions" of results:

272000 results for 1187328.cn

80,500 results for 91872772.cn

65,200 results for 91872802.cn

13,700 results for 5187622.cn

Add all those together and combine with the original domain, and you end up with 720400 results returned.

What domain are they searching on that pulls up five million results? Anyone seen this herpes-like domain out there? Doing a search in both Myspace and Google for "check out her profile LOL." only brings back the 91878802 domain.

Little help?

/ Update - a good pal of mine has managed to confirm the search string they used, and ended up with the same numbers as Symantec. As for as their blog entry itself goes, I still don't understand what the big need is for all the cloak and dagger stuff when talking about a bunch of fairly commonplace phish links on Myspace...