Creepy Myspace Interweb Stalkers

Remember the Myspace thing from a few weeks back where some nifty code could auto- subscribe you to someones video channel (and thus give them a method of knowing exactly who had visited their page)?

Well, some further digging has revealed that this particular scam has been in use by scumbags everywhere since at least October 2007.

That's pretty bad news, right there. So is the fact that this is still going on - visit Spywareguide for details.

Myspace: Who Is Watching The Detectives?

....a lot of horrible people, as it turns out. Someone has come up with a really sneaky way to automatically subscribe you to their video channel on Myspace, simply by visiting their Myspace profile. This then gives them a big long list of everyone that's ever been on their page. You can discuss the pros and cons of this with regards the risk to "regular" Myspace users, but I think the biggest issue here is for Law Enforcement, Security Researchers and "groups of angry people that hunt down pedophiles in various glorious ways".

Why? Because all of the scumbags using this trick (Myspace are calling it an "Error", and are working to fix it) suddenly know when a good guy is watching them, and can go underground, or maybe prepare for some Black-Hat retaliation. Click here to read all about it, and also find out how you can prevent this from happening to you. Thankfully, the solution is nice and easy.

Makes a change, right?

The Numbers Game

I saw a link somewhere to this article on the Symantec Security Response Blog, regarding a wave of Myspace phish pages using a .cn domain. Now, I've read it a few times and I'm still puzzled.

Why are you puzzled, Mr Ghost I hear you cry? Well, check this out:

"Symantec has recently observed millions of user profiles of a certain social networking site carrying malicious links."

....millions? At any rate, the screenshot of the phish link keeps bugging me:


Some things to note.

1. The blog entry doesn't actually SAY "Myspace" - they say "a certain social networking site", like they're not allowed to say their name or something. However, they leave in the fake Myspace URL (minus the numbers that make up the fake domain) which sort of gives the game away as to what site is the target here, right? I mean, why would you find something dubious that targets a site but then not want to mention what site is under attack? Not really important, but still - niggling.

2. They blanked out a part in the first sentence, which (at first glance) makes it look like they blanked out someones name or something. However, as these phish links are a dime a dozen at present, I can tell you that it actually says "Myspace". Again with the removal of the Myspace word.

Wha?

3. Millions of profiles are apparently carrying this phish link. Well, it only took a few minutes to work out what the link is - here's one of many that I found earlier today:

This is a well known Myspace phish domain, that typically posted up either the above message, or a handful of others (NUDE PICS ON HER PROFILE!!! for example) over a few days at the end of January / start of February (as you can see from the dates in the two screenies above). The bad guys behind this scam also use a bunch of other URLs, which we'll look at later.

Anyway, this is where it gets weird. They say they've seen "millions of malicious links" posted to Myspace, and give the domain in their screenshot (which I'm going to guess is the 91878802.cn domain) as a single example.

Yet their Myspace search image seems to show just over five million phish results from a Myspace search which is apparently searching on one single phish URL:

For some bizarre reason, they've cut the end of the search box off so you can't see what they entered. If (for example) I type in the full fake phish domain that's mentioned in my own screenshot, I get this - a less than impressive total of one result returned. So, going back and simply searching on "91878802.cn" is a little more impressive - 289,000 results. Still a long way off five million, though. Even if I allow myself some rampant generosity and throw in all the other domains these guys use, I still don't get anywhere near "millions" of results:

272000 results for 1187328.cn

80,500 results for 91872772.cn

65,200 results for 91872802.cn

13,700 results for 5187622.cn

Add all those together and combine with the original domain, and you end up with 720400 results returned.

What domain are they searching on that pulls up five million results? Anyone seen this herpes-like domain out there? Doing a search in both Myspace and Google for "check out her profile LOL." only brings back the 91878802 domain.

Little help?

/ Update - a good pal of mine has managed to confirm the search string they used, and ended up with the same numbers as Symantec. As for as their blog entry itself goes, I still don't understand what the big need is for all the cloak and dagger stuff when talking about a bunch of fairly commonplace phish links on Myspace...

The Myspace Hack Pack

So there I was, getting ready to put together the latest SPG writeup (about a curious collection of tools I came across designed to make cracking Myspace accounts a lot easier). Then I thought, well, the discussion I had with one of my researcher guys pretty much explains it all anyway (and he'd already pulled it to pieces overnight), so why bother rehashing our Skype chat into an article when I can just repost the chat onto SPG instead?

Somewhere in an Ad agency...

Ad Agency Guy: Hey, wow! I got an AWESOME idea for an advert!

Ad Agency Boss: Well, what is it?

Ad Agency Guy: First, I take a screenshot of a Facebook application! Then I stick it on adverts that rotate on Myspace! Then I make it look like it's some kind of new feature on Myspace so people will click it! After that, they get charged a crapload of money for stupid text messages when they sign up! And the best part is....THERE ISN'T EVEN AN APPLICATION, IT'S ALL FAKE!

Ad Agency Boss: I am so horny right now. Have six billion dollars.

Ad Agency Guy: GO WEB GO!


.
.
.
.
.
.
.
.
.
.





Read all about it here.

Avoid this fake "Myspace program"

Here's a Myspace scam currently doing the rounds - scumbags everywhere take one custom built (completely fake and useless) Myspace "program" called MySpace-X2.0, then bind it to their virus / trojan of choice and convince you to run the executable.

Techniques seen in the wild include getting the victim on MSN Messenger then sending them the file, or sending out a Myspace bulletin with a link to the download. If you see this:



....run away.

Myspace Spammers: Tools of the Trade

This is a program used to create fake profiles on Myspace. If you want to see how it works (along with a bunch of domains hosting the information the program above puts into action), click here to see the latest Spywareguide writeup. Thanks to LoLo for the tip - pretty crazy stuff.

Terrible new Myspace feature

Did you know that when Myspace Tom sends out his bulletins, he has two different sets - one for the regular users, and one for the bands? So if he happened to send something out that might raise eyebrows in security circles (but it only went out to musicians), you'd need to make sure it went to someone with a foot in both camps. Someone that rants about security and also dabbles in music?

Oh my. Wherever would I find one of those?....



....lol.

Check this out - Myspace are going to allow band profiles with more than 10,000 friends to approve friend requests automatically. If someone has that feature enabled, they'll probably have comments moderation switched off too, right? Why would you save time approving friends only to wade through hundreds of "OMFG I LOVE YOU SIGN MY ALBUM" type messages?

The answer is, of course, you wouldn't.

This is the worst idea I've seen come from Myspace yet - it opens the door to a flood of profile spam on the most popular pages and can only result in badness for all. Infection links, dating ads, viagra sales - you name it, you're going to see it. Hey, Angry Comic Book guy, can I get your opinion on this one?







.....Angry Comic Book guy has spoken.

Turning Japanese, Myspace Just Turned Japanese I Really Think So

Another day, another Myspace disaster. If anyone sends you a random link on Myspace this week, you'd be better off NOT clicking it.

What's the problem this time? Let's take a look:

.....DOH!

Read all about how bad guys are turning you Japanese here (complete with an easy fix, because I'm just too damn nice).

Myspace "Fake Windows Update" scam is third time lucky for bad guys

Someone just emailed me to ask if I'd seen anything of the latest Myspace scam doing the rounds. I just did a bit of Googling and I'm guessing it's this?

"Using a hacked MySpace profile, online criminals are trying to trick victims into downloading a malicious Trojan Horse program by disguising it as a Microsoft update, according to researchers at security vendor McAfee.

The attack is certainly not widespread -- McAfee has seen it used on only one MySpace profile -- but it does show how sites like MySpace can be abused by criminals."

Myspace has a lot of scams doing the rounds that are actually recycled over and over again. In this case, the fake "Windows update" has been around a long time, and used in two different waves of infections (that we know of).

Last June, they were used to try and install rogue antispyware - and then they resurfaced again in October, pushing what looks like a random assortment of hijacks.

If anyone has seen this latest round of installs in action, can they confirm exactly what this new attack tries to install? At first glance, it sounds like a similar setup to the second batch - I'd love to know if the same people are potentially behind all these attacks (or at least some of them), because if it is, it's an unusually drawn out campaign for a Myspace scam.

Mystery Myspace screenshot claimed

I just saw that the page discussed here has been claimed, by Network Solutions.

From SCMagazine:

Late Friday, Susan Wade, spokeswoman for Network Solutions, said that the disclosed page belonged to her company, not the social networking giant.

Network Solutions is conducting an investigation to determine how the page was made public, she said.

"We touched base with MySpace to let them know that this was out there and there was some information [made public]," she said. "The good news here is that screenshot is information that you would find on a public database, except for the user ID."

MySpace, a client of Network Solutions, declined comment on the matter.

So, the good news is, Myspace hasn't been split open by a bunch of hackers - and most of the information could be found in public databases. True, someone has managed to gain access to something they shouldn't have, but it looks like no serious damage has been done.

I just hope I never have to mail Myspace about anything ever again.

/ shudder

Myspace: What actually happened here?

Last week, I heard rumblings of an "interesting" screenshot doing the rounds on a few forums, but I had no clue where to look for it. Then someone anonymously popped up on MSN - as they quite often do - and sent me a link to the screenshot in question.

As you might have guessed, the screenshot involved Myspace. What's worrying here is what the contents of the screenshot could mean, and the total and utter shambles of a response I've had back from Myspace. See, let me say this right away - whenever you trawl through the super secret security mailing lists, backroom areas on forums etc - there's always one question that keeps popping up, and it usually always draws a blank.

"Anyone got a contact for Myspace"?

Most of the time, nobody ever does. For all intents and purposes, their security team - whoever they are - might as well reside in another Galaxy. So when a screenshot containing what looked like a pile of sensitive data related to Myspace came my way, my eyes started to roll and didn't stop for three whole days.

Now, I had no clue what I was looking at, but it didn't sound very good given that this was supposedly popping up on various underground forums. Some of the items from the screenshot included:

"Domain Account Administrator, Myspace"

"CSR-Tools"

"Account: Retail"

"Billing Information".

These are just some of the items contained in the screenshot. Besides that, there's a number of domains seemingly connected to Myspace down the left hand side and a bunch of contact information (Emails, names, addresses, User ID numbers) in the main portion of the page.

Has someone wandered into the main admin panel for Myspace? Is this something to do with a storefront related to the site? Is it something else entirely? Who knows, but you can probably guess what happened when I attempted to draw attention to this. I mailed them using their autoform last week - no reply.

I tried again this week, and this is what I sent them:

hello, my name is chris boyd, director of malware research
for facetime security labs. This is the second time I have
sent this through, with no reply so far. A few days ago,
someone pointed me in the direction of a screenshot a few
people had heard about (screenie URL goes here).

The screenshot appears to indicate your main CSR account
tools system was compromised in some way - can you confirm
what has happened here? I will be writing about this later
on today on my blog and would prefer to have the full
details as to the extent of what has (or has not!) happened here.

Thanks,
Chris

Can you guess what I got back?

Hello,

Below is a pretty comprehensive overview on blogs presented in an FAQ format.  It should answer all the questions you have about blogs.

Q: What is a blog?

A: A 'blog' is an online journal.  Blog is short for Weblog.  In recent years, 'blogging' or posting an online journal has become very popular.

.....yes, thanks for the handy blogging tips. Auto-reply ftl.

I mailed them right back and this time, I was supposed to be given an answer by an actual person. As it turns out, the auto reply above made more sense than what I was handed back. I sent them the same Email above - this is what I got (bold emphasis added by me):

Hello,

Most errors are cleared up in a matter of minutes so try to access the page again in a minute or so. If it's a significant problem, we're probably already aware of it and are currently working to resolve it. Please be patient.

......wha? Thanks for advising me to try accessing your potentially compromised system again in a few minutes, but that doesn't really solve anything, does it?

I've resent yet again with a little note asking if anyone there actually bothers to read anything they're sent, but I'm not getting my hopes up. I'd like to think the above screenshot doesn't represent anything serious, but would someone bother posting something like that to websites if they didn't think it was a big deal in the first place? I mean, call me paranoid, but I'm not entirely certain I want to be anywhere near a Myspace page at the moment. Is it safe? Is it compromised? Nothing to worry about? Being taken care of? Who knows?

Little help, Myspace?

/ Addendum - I just received the latest reply to my efforts to draw attention to this, and it's the best one yet:

I sent Myspace this:

"Is anyone there actually reading what I'm sending you? I'm telling you that you appear to have been compromised, potentially quite badly. And you're sending me another reply that doesn't help and tells me to "try to access the page again in a minute or so"?! I guess that would be useful if I was the one doing the compromising, but this isn't really much use to me, is it?"

Let me repost my message for a third time"

This is what I got back:

"Hello,

We do not offer that option as it is not available within MySpace."

....I think my brain hurts.

A Message from Kryogeniks...

Their forum was up for a while, now it says this:

....in conclusion, Tesla is doomed and Hilary Duff sucks.

I love being right all the time.

Justin Timberlake Myspace page hijacked too...

....as the Magical Pixie man says....

Man, they are going to kick his ass when they wake up to their website being all suspended and stuff.

Tila Tequila, Hilary Duff Hacked By "Tesla" of Kryogeniks

Well, if you're going to make a name for yourself on Myspace, hacking one of the biggest "stars" on there is a good way to go about things. Some fool went and hacked a bunch of stupidly popular pages, then plastered his hacker ID all over them. Worse (for him), he seems to have done it as a way of getting into the group - sadly, all he managed to accomplish was getting their domain suspended. I predict a face slapping for our happy hacker.

This isn't related to the Myspace band hacks of a few weeks ago, so at this point, we don't know how the page was "hacked".

Here's Tila Tequilas page as of a few hours ago:

It's worth noting she's one of the top three most popular acts on the whole of Myspace with 241,4669 friends:

I'll be updating this entry at Spywareguide with all the info. Stay tuned...

Leaving a Nastygram from a Phished Myspace account for giggles....

....obviously, the content of the message will make you go blind. So, you know, read at your own discretion. Or, if you're like me, just read it and yell out WTF. On the bright side, this is the best advertisement for keeping your passwords secure, like, ever.

Well, that's embarrassing. And they didn't even give directions...

Making Art with phished Myspace accounts

Here we have a random profile containing messages from two phished individuals leading to ye olde Chinese Myspace fake login page.

However, of all the images they managed to randomly paste onto the comments section (and this scam uses a whole pile of pictures, randomly summoned when the code is pasted into the comments), they ended up with...

....that.

Pretty nifty, I guess. Like Warhol but with more bewb.

Myspace Band Hacks: How they did it, revealed? And...a curious twist

Today was weird. All this time during the band pages on Myspace being whacked, nobody ever seemed to know exactly what had happened with regards their mangled Myspace page. Was it Phishing? Hacking? Mind control? A combination of all three?

Someone, somewhere in a band who'd been whacked would know some specifics. The problem was, trying to find that random individual. More than a fortnight with no luck. And then today, just like that, everything changed.

First I got a friend request from a band on Myspace, Seagull Strange - then we exchanged a few PMs where I asked them if they had any idea what had happened to their page. You might recall I mentioned them a week or so ago - their page was carrying one of the redirects to the Chinese domain pushing fake media codecs.

Well, some guy out of the band told me this:

"Yes actually it wasn't a hack at all but an XSS attack. The XSS automatically posted additional CSS via javascript which replaced all <> tags on the page with the target pointing to their server. The script was called by being logged in as us and one of our band members clicking a link from an affected page. Hackers just don't hack myspace anymore. Short of social engineering the attack or guessing security responses and passwords it's just too tight. As the code is very simple and uses an exploit in CSS it isn't actually myspaces fault. Short of myspace banning all custom CSS code it isn't going to go away. Regards Seagull Strange"

Now, if what they're saying is correct - that the page is hijacked purely through clicking a link while logged in - then I would quibble over how someone using a cross site scripting attack to automatically overwrite tags on a page supposedly isn't classed as "hacking" - or how Myspace is supposedly "tight" (remember the Quicktime Worm attacks and how the security team responsible for "fixing" the problem was,like 3 outsourced guys with no support?) - or how the people likely behind this (professional hackers via the Russian Business Network) don't somehow qualify as "hackers targeting Myspace" but whatever. The point is, someone has come out with some information that's actually useful, and point to something potentially other than "It's all down to Phishing. We think".

However.

At around the same time the above was sending me messaged signed "Regards, Seagull Strange" - I'm zinged by a Google Alert aaaaand.....

Here is (what I assume is the same guy, though I could be wrong) attempting to tear me a new one on his LiveJournal page.

That's pretty.....weird. Right?

Meh, whatever.

Update - Looks like the page got deleted, probably due to the fact he noticed I posted a comment there. Here's a screenshot instead.

Omg Britney Topless!!!

....well, not really. The observant amongst you will have noticed the screencap above is simply lifted from that terrible ballad she did - you know the one, where she dreams about killing herself in the bath or something and she's running through what looks like the corridors of a Nuthouse in a white floaty shirt - and combined with OMG NUDE!!! text for wintastic results.....of a phishy kind.

....yes, you must be logged in to view the video. Now if you'll excuse me, I'll go roll my eyes a few times.

Well, this explains a lot...

This stuff is just writing itself at the moment. From the Ultimate Staffing page:

"MySpace.com Abuse Specialist $14 + Benefits!!!

You've heard of the website......You use the website...You love the website...
Now be a part of their team!!!!

MySpace is currently partnering with Ultimate Staffing to bring to you this exciting career opportunity!!

Abuse Specialist

Overview

The MySpace Abuse Team handles all incoming phishing, spamming and hacking related reports.

Job Duties

Abuse Specialists oversee spam complaints from users and networks emailed directly to the Abuse mailbox, remove infringing Ebay auctions that misuse the MySpace trademark, removing phishing sites and notifying victims of phishing abuse, pursuing spammers and having their affiliate accounts/websites removed, and handling hacking complaints.

Qualifications
* Technically savvy with experience with Microsoft Office, including Outlook, Word, Excel
* Strong understanding of the Internet and social networking
* Must have excellent understanding of web hosting, network operations, DNS, scripting
* Knowledge of HTML, Javascript, ability to perform front end coding
* Able to manage multiple priorities
* Minimum 1-2 years work experience

All candidates must be able to pass a criminal background investigation to be considered for this opportunity!!
Must work one weekend day (Saturday or Sunday) every week

We are a 24 hour a day/7 day a week operation at MySpace, we are currently hiring for Graveyard shifts only! .

Graveyard shift is from 11:00pm to 8:00am"

.......please God, no more. Hat tip to LoLo, who is awesome.

TIME to face facts, Myspace

Yep, Time.com just covered the whole Myspace hacking thing (note that its the second top story on Time.com, behind Decapitation: Mafia Adaptation which is quite possibly the greatest headline ever). However, what I want to do is focus on just one portion of the article - specifically, the bit where some guy from Myspace says a bunch of stuff. Pay attention, now:

"Her profile was phished," says Nigam, "which means that whoever is managing her site probably input their user name and password where they shouldn't have,"

"Her" refers to Alicia Keys. So again, Myspace are going with the phishing angle. But wait - further down the page....

"MySpace says it has discovered and removed links to the same Chinese site embedded on up to 50 other pages, but declined to identify which pages had been infected."

This is a spectacular own goal. Why?

Well, look at it this way. Myspace freely admit they fixed 50 pages - so in addition to the 25 or so I already found, and in addition to the total that whoever else, from Sunbelt to Roger Thompson, also came across, and in addition to the still undiscovered pages out there that carry this hijack - they still expect us to believe all of those pages got phished in the space of a week or so?

That something in excess of 70 or 80+ pages related to bands ALL GOT PHISHED in the space of a week or two because every single person running those pages suddenly got hit with the stupid stick and clicked a bogus login link? That bands who were unfortunate to get hacked TWICE IN A WEEK were crazy enough to get phished once, then TWICE?

Sorry man, I know ten year olds on Myspace who don't get stung like that.

Phish scams on Myspace are pretty rampant - but every single band I have spoken to swears blind they didn't click a stupid link, or got sent a spurious email, or handed over their credit cards to the wallet inspector, and I believe them. What's more, nobody (as yet) seems to have a single shred of evidence as to these phantom phish links. Where are they? Why hasn't anyone seen one? When are we going to make a definite link between phishing and band hacks?

And the other reason why this is a spectacular own goal? Well, fifty compromised pages is a lot of potential traffic to a hijack website. Three pages alone had in excess of 8,000 friends. So with that in mind, I find this whole idea of keeping those hacked pages under wraps to be vaguely irresponsible. Rather than take another press hit - because it's entirely possible that any of the fifty fixed pages could be for major artists - Myspace would rather drop the cloak of anonymity.

That's great, except it leaves anyone who might have visited a band page in the last week or so completely in the dark as to whether or not they need to run a few antispyware scans. The final nail in the coffin is that Myspace seem incapable of blocking / filtering out two or three Chinese URLs.

Well done Myspace, a winner is most definitely you.

More hacked band / music profiles. Why aren't Myspace fixing this?

As of about five minutes ago, here's a record label....


and here's a fairly well known Scottish Music Newspaper site:


And here's another one....


For what it's worth, the combined total of friends on the list of a freebie newspaper, a record label with a PO Box and some random band is 8,829 which is a scary amount of traffic for a bunch of pages related to labels and bands you've probably never heard of. The redirect STILL works, and this is the ORIGINAL co8vd.cn domain I'm talking about here, not the Acilot.cn URL they replaced it with.

Myspace can no longer simply claim ALL of these bands fell prey to Phishing attacks.

This is patently a nonsense. What - an endless stream of bands, record labels, music newspapers and producers all woke up yesterday and forgot what the real Myspace website looks like?

Give me a break.

You know a site has got problems when the only surefire solution to not be subjected to hack attacks and dubious redirects is to not use it.

But that's currently where we are. Well played, Myspace.

Also, has anyone else out there noticed there seems to be a high proportion of Scottish pages hacked in all this? All of the above - Scottish. The Dykeenies? Scottish. A bunch of the other bands I saw that were hacked were Scottish too.

But what on Earth could the Scots have done to annoy the Chinese this bad? Weird...