…yet their blog entry about this missed some key points. And, it’s odd that they were reluctant to post all the information on their findings: full urls, search strings used to get those numbers, the “certain social networking site” in question when they were clearly writing about MySpace, etc. Such cloak and dagger stuff isn’t productive and it caused legitimate confusion among other security researchers. Silly Symantec.
The Basic Gist:
- URLs on some nondescript numeric .cn domains (91872802.cn, 5187622.cn, etc) are being used as landing pages for a phishing campaign on MySpace.
- The urls are structured via subdomain usage in a way so that they mimic legitimate MySpace profile urls with the second-level domain / numeric portion serving as the spoof MySpace friend ID number…
Real profile url structure:
profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]
Fake profile / phishing page url structure:
profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.[.cn domain]
- Said urls are posted (typically as text) along with some teaser text in the comment section of MySpace user profiles from accounts on their friend list which have already been compromised.
- Besides hosting the spoof login pages, those urls are packed with some other nasty exploits aimed at fuckerizing (technical speak :P) a visitor’s PC.
Key Points Symantec Missed:
- By posting the urls as text (forcing users to cut and paste them into their browser’s address bar) this phishing campaign slips right past MySpace’s (thus far extremely ineffective and counterproductive) link filtering and external link warning page nonsense.
- The bad guys have sank to a whole new yet extremely effective level with varying teaser text suggesting that the link goes to the profile of a recently deceased MySpace user…
Such text is sure to generate more interest in the spoof login url from passersby who are stalking taking a look at someone’s profile.
- There is a slight variation going around where that it’s an actual link using a properly structured MySpace profile url as the anchor text. And, it completely circumvents MySpace’s filtering and external link warning when clicked via one of many methods currently being employed by MySpace spammers.
Example:
http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]
In action, the above link would contain some extra code which allows it to be posted on MySpace without being converted into a msplinks.com link (MySpace’s lackluster url filtering solution). By default, this also bypasses MySpace’s new external link warning:
Since MySpace users are accustomed to external links being converted into MSPLinks.com links and having to pass through that new warning page, malicious links coded to circumvent those systems appear to be legitimate internal MySpace urls.
- Some might argue that the urls posted as text cannot be as effective as clickable links since they require a MySpace user to cut and paste the url into their address bar. This is true to a point but MySpace’s insanely glitchy link filtering solution regularly filters non-malicious urls. This has created an environment where that some MySpace users familiar with this issue simply post urls as text to avoid any possible filtering. So, many users are now accustomed to copying and pasting urls posted as text.
Symantec’s Numbers:
They got their “more than five million” figure by simply doing an internal MySpace search (powered by Google) with “profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.” (with quotes) as the search string. When I did the same search the results were numbered at 5,490,000.
In Summary:
MySpace’s ill-fated security measures are adding perceived legitimacy to this widespread phishing scheme. Symantec left a bunch of security researchers scratching their heads by posting an oddly goofy blog entry. And, ninjas are freaking awesome.
I’m insanely ill at the moment so excuse any typos and whatnot. Here’s the skinny…
1. I booked a round-trip flight with US Airways to spend my birthday with the girlfriend.
2. On Saturday morning (Feb 2) I woke up feeling like absolute shit. Body aches, chills, and a fever which broke 104 at one point. I was supposed to be leaving the next day so…
3. I called US Airways and rescheduled my flight home for Wednesday (today). There was a $20-ish price difference for the new flight. And, they were waiving a $100 fee normally associated with changing your flight.
4. My girl brought me to the emergency room where they pooh poohed my I have Pneumonia theory. They said it’s a “viral illness”. So, it’s a common cold on steroids kinda thing and is contagious.
5. Wednesday is here and I’m still in bed. My girlfriend is sick now too. I called US Airways to see about getting the flight rescheduled again. I was told that the $100 fee could not be waived a second time. I asked if they’d rather knowingly have someone with a contagious illness on two of their flights today. That question was met with silence. So, I asked if a manager could override the charge. After being placed on hold I was told once again that they wouldn’t override it… “Well, I’ll see you guys later today.”
If they were dealing with flights that were near capacity I would be more sympathetic. That’s not the case though…
So, what should a ninja do???
Update (5pm):
In spite of all the votes saying I should catch that flight and cough on people, I’m simply going to book with a different airline once I’m feeling better.
Sometimes when I’m alone, I Google myself. I have no shame. :P
I’ve seen duplicates in the SERPs before, but a search this morning left me scratching my head with a dumb look on my face. Results number 10, 20, 30, 40, 50, and 57 are all the same for the term “ghettowebmaster” at the moment:
WTF?
The skinny:
1. Some eTards decided to harass Officer John Nohej for having a MySpace friend who linked to adult content when he was simply trying to reach out to kids at the middle school he is assigned to.
2. Hilarity ensues as netizens rip the eTards apart for this retardedness. The school he works at? They had a link to a domain parking page from a belly up clip art site they linked to. What ads were splashed across that domain parking page? Gay porn, seriously. It got worse for them when I pointed out that the technology-challenged “elite cyber crimes task force” investigating Officer Nohej is guilty of all sorts of stuff that also doesn’t matter on MySpace.
3. In their infinite wisdom, they decided to (screw up while trying to) hide their own “misdeeds”…
Their friend list from a few days back:
Their friend list and comments now:
What the hell?
They ran to another third party site and got code to hide their friend list and comments. And, once again… they didn’t remove the extra code included which links to a site pushing adware:
What kind of places does that site link to?
Yuppers, the ad network that site does business with serves up a ton of Zango banners. Nice.
I think it’s time for this “elite” interweb task force to go ahead and ask one of the kids they are supposedly protecting to help them out with their MySpace.
Update:
They went ahead and deleted every comment from their MySpace page. lolz
Home –> Computers –> Virus Hoaxes & Realities –> Snopes Funded By Adware
Money Over Integrity
Claim: Snopes serves popup ads from Value Click Media (FastClick) which encourage visitors to install adware from Zango (The Axis Of Evil).
Status: True.
Example: [Collected on the Interwebs, 2008]
I am a big fan of Snopes, and use the service routinely when getting some typical hysterical email from a friend.
But for a long time now (probably at least a year), I’ve noticed that they are in bed with Fastclick, which in turn constantly serves one annoying ad on Snopes:
That ad, “Do you want to block Junk Emails?” is for a Zango product — adware (VirusTotal report here). And by running this ad, Snopes, which is highly reputable, is providing an implied endorsement of the product.
I contacted Snopes about six months ago to complain, but they ignored my message.
- Alex Eckelberry
|
I responded to Alex’s blog entry about this with the following:
Ouch. I’ve sent plenty of people their way over the years. This stinks the same as weight loss, penis enlargement, and other nonsense being allowed to make ad buys from Discovery, History Channel, etc.
“We are known to deal with facts and provide the best information possible.”
“Here’s a bunch of money. Let’s exploit that trust you’ve built up.”
“Hells yeah.”
Seriously:
What really pisses me off is that I know FastClick has category options for their publishers. And, I’d bet PaperGhost’s underoos that a site producing as many impressions as Snopes can get them to filter ads from their rotation. Bottom line: they aren’t idiots and are intentionally serving such ads on their site. It’s obviously all about the big bling bling for them.
Might as well find a similar site, with ethics:
Urban Legends (minus Snopes)
If you want to send Snopes a message about this mess, here’s their contact page.
Update:
You probably shouldn’t even bother contacting them. Here’s a thread on their own forum with members bitching about such practices from September of 2005. I saved a copy of that just in case they delete it ;-)