Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.
I downloaded the .mov (QuickTime File) and opened it up in a text editor to see what it was triggering to cause this mess. It was plainly clear that the JavaScript it was executing; from the same domain as the spoof login page, was intended to do more than just inject some code to phish people and spread the worm. It also had code in there to send internal MySpace messages to random people with MySpace friend IDs between 105000000 and 80000000. This attempt fell flat, but the intent was there nonetheless. Why did it fail? Either poor coding or MySpace’s spam filter. This ill-fated spam attempt revealed the identity of the guy behind the worm… Well, it made it so that he won’t be all that hard to track down anyway.
The intended MySpace message spam would have randomly used one of the following subject lines:
what else is there to do on a Sunday.?…….
You better not forget about this..
Hehe that was so funny..
better see this one last time lol..
omg did you see this last nite..
whos coming to the party tonight.?..
And, the body of the message would have contained a fake YouTube video (pictured below) linked to a site that’s…. Pushing Zango installs (nasty adware).
If you’re not already familiar with Zango (180solutions) and their scumtastic business practices, read this. The bottom of that write-up has links to a bunch of stories detailing their unrelenting scumbaggery. It’s no wonder that the FTC spanked three million dollars out of those idiots recently.
*The web addresses listed in the below paragraph contain adult content*
The url that Fake YouTube video would have been linked to is what gave this douche-bag up: http://google.com/url?q=http://www.vidchicks.com/home.php. That “home.php” simply redirects you to the same url you’d get as a pop-under if you visited any page on Vidchicks.com: http://www.vidchicks.com/popunder.html. And, that popunder.html is simply a landing page being used to get people to install some adware courtesy of Zango. I was able to dig up all kinds of dirt on the webmaster of Vidchicks.com. I’ll get to that in a second.
On the landing page he’s pushing the Zango installs from, he has visitor tracking being logged by the public version of Extremetracking.com. If you’re reading this before they pull his account, those stats can be found here. The visitor stats found there are pretty telling. He has been spamming the hell out of MySpace from those phished accounts via messages, comments, and bulletins.
The below shows unique visits:
Visiting a few of the MySpace profiles he has gotten visitors from recently showed that he has been posting various images as comments from phished accounts to get people to visit that Zango landing page of his. Sometimes he simply posts the same fake YouTube video as above. Other times, he’ll post stuff like the below:
So, he’s basically just scumming it up in any way that he can. After doing a bit of research on this guy I found that this is his typical behavior.
Here’s a taste of the pile of dirt I found on this guy:
1. He goes by a number of different names on webmaster forums because he has a knack for doing shady stuff. If you’re doing business with a guy that goes by the name eLogic or Creepah, I highly suggest that you stop. Those are two of his handles for sure. The eLogic name is used on some forums where he does traffic trades and whatnot. And, he tried to sell Vidchicks.com on DNForum a few weeks back under the name Creepah. Oh yeah, Vidchicks.com is registered under the fake business name of eLogic Inc.
2. He was banned from a webmaster forum for creating a fake account to bid on one of his own auctions to drive the price of a site up. *No url included because it’s a private forum
3. He was apparently banned from YPN at least once.
4. This has got to be my favorite post by this idiot: [EASY CASH] Digg my site, $1 per digg, takes 30secs. lolz
Here’s a screenshot from his Digg.com account:
14 stories Dugg and 20 submitted. *Holds up a Yes, this guy is retarded sign*
5. Who cares? I think all of the above establishes this guy as a typical spammer.
In conclusion:
- MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files. This is just a temp fix though. They’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis.
- The guy behind this is obviously in blatant violation of numerous laws. If any law enforcement or other government agency wants to take action against this idiot: it’ll be real easy to nail him down. On all the webmaster forums, he has remained consistent in saying that he’s from the UK. This isn’t necessarily true, but a subpoena served on any of his income sources (Zango, Adult AdWorld, etc) would turn up a address for sure. ;-)
- I’ve got the flu and didn’t sleep last night, so excuse any typos and/or other retardedness in the above.
Update (12/01/06):
“MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files. This is just a temp fix though. They’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis.”
Well, MySpace has apparently decided to try to handle this issue differently. And, the same worm is spreading around today using different domains to host the QuickTime file, Spoof Login page, and JavaScript. I guesstimate that at least 1/10th of all active users were infected by this thing over the past few days. And, there is no telling how many accounts have been phished. Yesterday, MySpace Tom posted the below:
I think that makes it pretty safe to say that the MySpace crew has come to the same conclusion as me: a metric TON of people have already been phished via this worm setup. I smell a lot of spam in the near future.
Yesterday, I didn’t mention a part of this guy’s hustle that is pretty interesting. He is hosting the files being used for this worm on domains he has compromised. I imagine he is doing this in order to have a little room for denial. “Dude, I don’t know what you guys are talking about. Someone else is spamming the hell out of that place with the url to my Zango page.” Yeah, sure.
As of right now:
He cleaned up his JavaScript a bit and it now randomly inserts the QuickTime file from one of two domains. Yesterday he was using two domains also, but they were both standalone operations doing the exact same thing. So, he has the QuickTime file, JavaScript, and spoof login page sitting on two separate domains - working together now. His phishing efforts have been cut short though. Both of the Spoof Login pages are set to post the inserted data over to a third domain (a .edu) which is already down. And, the webmaster at one of the domains added some text to the spoof login on his domain warning people that it’s a fake:
I’m not sure if he has this same double-whammy setup on any other domains right now though. If not, I’m sure he will soon enough. I’ll say it again: this is not going away until MySpace bans QuickTime embeds.
Update (12/06/06):
Well, this story ended up exploding all over the net after my buddy PaperGhost (Microsoft Security MVP, Director of Malware Research for FaceTime Security Labs, Kung Fu Fighter, etc…) posted it on his personal blog and on his company’s blog. If you want to keep up with this story, PaperGhost is maintaining a list of all the better stories that get posted about this. If you see anything juicy posted about this, feel free to message him with the link.
Besides this story getting all that exposure, it has taken a few turns since my last update. And, I have a small correction to make about something I said…
“MySpace killed off that worm yesterday by adding the domains he was using to their spam filter’s list and getting the hosts to pull those files.”
Yeah, I was wrong about that. The servers the files were on simply couldn’t handle all the traffic. A day later they quit 404ing. And, one of the four domains is still hosting the files.
I was also wrong in saying “[MySpace]’ll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis”. They contacted Apple asking for a patch and Apple has provided a temp one that helps out Internet Explorer users, with a permanent solution on the way. I find this a bit odd since this worm setup simply used a QuickTime feature, not a QuickTime flaw. It was a shortsighted, security flawed in nature, and downright retarded feature… But, a “feature” nonetheless.
This has stirred up a bit of debate on who is to blame, Myspace or Apple. Personally, I think they both screwed up on this one. Apple for thinking that launching JavaScript from streaming media was a bright idea. MySpace for not having a security team in place that keeps up with industry news to avoid stuff like this. And, for doing a piss poor job of letting their users know what was going on. And, for not providing a temporary fix before they got that temp fix from Apple - banning QuickTime embeds for a few days would have saved tens of thousands of people from being phished. And, and, and… Well, you get the point.
MySpace Tom posted the below yesterday:
It linked to a page which has the temp QuickTime patch Apple provided. After clicking the install button several times, I’m still not sure if the damn thing installed. All of this is of course causing a ton of confusion amongst the MySpace crowd. So much so that MySpace Tom posted a blog about it (the blog entry has been deleted, hmm). The very first line of which is factually incorrect and sure to piss off the guys at Apple:
“the security problems this weekend were related to a hole in activex quicktime installer.”
Dude, are you high??? That’s completely retarded sounding and not true. Plus, it sure looks like you’re trying to place all the blame on Apple. Not a very slick move considering you’re waiting for a permanent fix from them.
He goes on to explain that the download is legit, the post about it was really by him, etc. Pretty sad when a site’s user base is so accustomed to deception, scams, worms, and other nastiness that they don’t even know if a update by the poster boy of the site is real.
Update (12/10/06):
This is funny enough for a new entry: MySpace Tom Pwned
Related Articles
68 brave souls have commented on this post
I need help! I got this worm yesterday, as did a few of my friends. I deleted all the bad html from my “about me” and movie sections. But now it seems my that my “send message” function has been disabled. I can go through the steps and get to the “message sent” screen but it doesn’t appear in my sent folder and my friends don’t receive it. Any ideas?
Re: Jennifer
That’s a side effect that was caused by this worm. MySpace inadverantly flagged TONS of users as spammers who aren’t. You were all flagged because of the spam this worm attempted to send from your accounts. When I update this blog entry I’ll be mentioning this.
/all you can really do is sit and wait for MySpace to get their stuff together.
Thank you for your help. This really sucks!
Funny. That dillweed’s password was the same as his username.
Not bright at all. Funny, he doesn’t seem to have a tracker anymore… :-P
So if we had that, as long as we deleted all the code from the about me section and the video code from the movie interest section and didn’t ever enter information into the fake site our passwords haven’t been compromised? I received the infection from a friend’s page and clicked my home link a few times before I realized why it wasn’t working. A page didn’t load so I think it may have already been taken down.
Possible needed clarification to my question: Even if I clicked the false HOME links on the myspace profile as long as I never entered my information I am safe?
The latest news is even Tom’s profile got phished. Sad to say, his 1 billion more friends were affected because of this myspace identity theft. I wonder if there’s any way that someone can actually develop a myspace code that can automatically detect the intent of spamming, something we can also embed in our own about me section.
My name is Josh, i know enough about viruses/worms/trojans to know pretty much how to handle the worm problem, have any questions for me, contact me on myspace with::: myspace.com/joshuaposs
or if you don’t have a myspace then just contact me with my eamial address::::: josh.poss@gmail.com
Those punks and bitches stole my password i needed to talk to someone and now i can’t fucking QuickTime
yeah i have went in and tried to change my password and it wont let me and i dont know what else to do! please e-mail me jessica_mae_7688@hotmail.com
My myspace page was phished and i can’t do anything about myspace.com/untouchableunt,The thing is forgot the password for my old email address untouchableunt@yahoo.com but i do know the password for my myspace page…………..so can you please email me at freshmagz11@yahoo.com
my myspace got some weird password that i cant log in…if you can reply with my password at anamonterroza@yahoo.com
If you are a 14-19 year old female and have had drama caused by someone messing with your myspace account please contact me. Or if your relationship has been ruined or if you have been exploited my mypace please contact me for a magazine article 914.497.9731
I need help! My account keeps gettig phished everytime I post on the myspace bulletin. i’ve already unlocked it more than 3 times…..which means I’ve gone thrumore than 3 different passwords in one night and i’m running out of ideas. it’s really annoying….I can’t even post any messages on the bulletin anymore. Please help me! has anyone experienced it….or does anyone have a clue?!
re: MJ
That new flagging system they have in place has been acting nutty. Accounts that I know haven’t been phished keep getting flagged and whatnot. Just keep changing your PW and wait for them to get their shit in order.
thanks lolo….it’s been driving me crazy too….right now i stopped posting on the bulletin so i won’t get flagged. **ugh** it sux!
my account was one of the accounts that was phished,,,so i waited and waited it never did get back to functioning. After a month i changed it, ok here is the crazy part. I changed my page password and url, after having this account for a month it was deleted to violation of terms, i was shocked had no idea why. Do you think this worm is in my pc? If so it will only be a matter of time b4 they shut this account down, the rules were like no spamming no nudity no harrassnf which of course i had been doing none of. Whatcha say bout that?
I’m having the same problem right now, everytime I try to post a bulletin I get a message from Tom saying that my account has been phished and my account has been blocked until I change my password. But every time i change my password and try to repost the bulletin…it happens again!! This is ridiculous, the bulletin is not spam, was not sent by a hacker and does not violate any terms!! It’s completely freaking me out. Especially the idea that my profile might be deleted! Please, does anyone know what’s going on? I don’t run a personal myspace, it is used to promote a very popular art installation I’m involved in and I’d lose 7000 contacts and a myspace which I’ve worked on and built up over several months.
all those frickin myspace phishers should get a flippin life.
Anybody having problems with sending bulletins on myspace because of their blocker claiming you’ve been phished, try taking out any direct links (especially to rival blogs!) I think this is triggering their blocker because as we know all hacker bulletins and comments have direct links to dodgy pages and people are more likely to click on these links without thinking. Just try sending the web address without any html code. Phew, panic over for me:)
my account was phished as well, I waited 4 days to see if it would unblock, no changes came, so I made the mistake if setting a new password and that’s when I got blocked completely, cannot pass beyond the log in page now. myspace has a password but it does not match what I put in, they don’t answer my questions and they wont send the password to my email. I am having the same problem as vanessa on 4/12/07. Please help LoLo!!!
Whenever you have any MySpace issue, email the hell out of
abuse@myspace.com
&
privacy@myspace.com
until they address the issue. They’ve gotten a lot better about responding to stuff lately.
EDIT (8/31/07):
Got an email from MySpace today stating that “all emails should be submitted through the ‘Contact Myspace’ link located at the bottom of the website”.
So… Emailing those addresses directly might get their collective panties in a bunch and they won’t be as helpful.
I have no idea what’s going on. I have apparently been phished, although I’ve never posted a bulletin. Everytime I log out, ten minutes go by and now Tom sends me a message stating I’m phished and I need to change my password. I’ve changed it over twenty times in two hours. WHAT IS GOING ON?
re: Chuck lolz
That’s their new flagging system doing what MySpace stuff does: fucking up. You’re getting flagged based on some words in the comments, blog entries, or messages you send out.
I’m sorry. I don’t really understand. I haven’t written a new blog since probably February and I haven’t been on my account to send any comments or anything for about two weeks. Today was my first time logging in for two weeks. I logged in, saw the flag, changed my password, and then logged out. I logged back in a few minutes later, deciding to write a comment to somebody and saw I was flagged again. What does this phishing thing mean and did somebody really steal my password? I don’t know what any of this stuff means. Do I really have to start a new myspace account? And if I do, whos to stop it from happening again?
Google: MySpace spoof login
The first thing listed is a video I made that explains phishing. You might be getting flagged because you actually were phished last time you were on. Check your sent messages and posted bulletins to see if stuff is getting posted by a spammer. If you don’t see anything post a bulletin asking your friends if any of them have gotten spam coon their pages from your account.
I tried that, but no one has gotten any spam from me. One of my friends had to redo their account but I wasn’t on their page at all and they weren’t on mine. Okay, now somebody just told me I have to change my password and then take out all of my codes and redo my page. Will that work? Thanks for being so efficient with answers. You are now on my favorites. And not just anybody gets added to Chuck Norris’ favorites.
lolz…
Changing your PW and completely cleaning out your profile should get things back to normal for ‘ya.
Where have you been the last six hours I’ve been trying to figure this out? Hell, where have you been all my life? Thanks-no one else was making any sense to me. If you need someone to roundhouse kick Tom to the face, you know where to find me.
P.S. Do I really have to get rid of everything? At the risk of sounding whiney, I got a nice slideshow up. Are there certain things I should look for in the codes to delete or should I really just scrap everything in there?
Just remove everything and put it back piece by piece. Anything you’re not sure off, don’t put it back.
I just KNEW something strange was up with Myspace! It keeps locking me out of my account and claiming that I’ve been “phished”, when I know for certain that I haven’t. I’ve had to re-set my password over 10 times within the last hour, and it’s STILL telling me that I’ve been “phished”. WTF man?? WTF?!?!? Myspace’s flagging system is apparently on some kind of rampage… they need to either do away with that, or start modifying it to be less aggressive. Everything was working perfectly fine for me yesterday… and today I’m constantly being flagged! Their customer service is literally non-existant in answering any of my e-mails regarding this. ‘Effing b@stards! :(
WTF! I keep getting phished every hour. Does anyone know how to stop this from happening?
hi just droppin by,, hehehe
hi, my myspace got phished and i cant change my password cuz the link that says “acount settings” like doesnt work because of the virus or whatever it is. please help me. i cand send anything or click on anything! contact me at myspace.com/_blink_megan_
I deleted my About me and my interest section and it still is blocking the “send message” “add to friends” “blogs” “view picture” “home” all those links.. Everything that is a link type deal, is blocked.. Before even When i’d go all the way down to the bottem of my page and then half way up.. my curser would change and thats when the page was blocked. So i deleted my about me section, the interests, all the html and the movies.. and it’s still messed up. So whats the deal here.. because i’d really like to know. I EVEN MADE A NEW MYSPACE.
The myspace support people or whatever haven’t gotten back to me, and i’ve gotten to them twice.
Not to mention i deleted the comments that were html and infected as well
i have the same problem as boxofrain and i did the same stuff as he did except i didnt make a new one.
Alexandra Elizabeth here, My Add Comment Link is gone! No one can add comments on myspace. I did the same thing as Boxofrain. I started deleting everything. My Layout went 1st. Then my videos, now some comments. 4hrs later, its 2:26AM PDt now.
I’ve just about had it. Oh, and when I go to Edit Profile. All links show the Add Comment link. But when I return to My Profile, Wha La Gone!
Can you help?
P.s. I really appreciate all you can do. You were highly recommened by Keld. Thank you.
hello
Hi Lolo, I am having trouble with 2 things,..
1st I can’t see any of my comments on my profile page. I did tryu to reinstall my profile layout. It did not help.
2nd I clicked on Edit Profile, to see my information.
And in 2 boxes:
Books and Television my scroll bars are blank looking.
I cannot scroll with them. Thank you for your help.
U SUCK!
I have been phished, but when I go to change my password, the verification picture wont show up! Can someone please help me with this?
well i was trying to send a message.&&it didnt pass the spam filter? then i went ot home and apparently i have been phished. then it says click here to change your password and whatever so i clicked & it took me to the sign in page. so i singed it and i am still phished then i went to account settings and it says server is busy every time. can someone help? :]
me too. I first got a page saying to verify my email then to change my password. when I went to do that it wouldn’t show the pic. this is 2 days after I have been blocked from the site for 4 days because everytime I go to log in the page would redirect to another one that says : myspace.com/modules/splash yada yada. damn..I’d actually pay for the site if the would get it right.
i am having exactly the same problem as jessica and it is driving me crazy… i need help please!
I am having the same problem it just wont show the picture to verify password change. does anyone know about this? it has something to do with java
Re: last several comments
Read my latest blog entry about this issue:
MySpace inadvertently flagging accounts as phished
Same as everyone else on the second
anyone help??
please
I’m having the same problem as others…my add comments link just suddenly disappeared last night, no clue why! I found code on the net to get it back and it’s back, only it’s in the wrong section (the web page where I got the code said to copy and paste the code at the end of the Who I’d Like to Meet Section and I did, so that’s where it is showing up, not in the Comments Section where it should be)!
HELP!!! At least my friends can leave my comments now, but I would like it back where it belongs! Plus, I’m worry that my account will start to get all screwed up from being phished! I would appreciate any assistance!
my computer keeps saying bad reQust When i try to enter my space
My myspace has been acting up. I mean I cant even sign into it because I guess I resigned in accidentally because I thought it was myspace but it was really a site called freeweb? So now everybody has been telling me that there is a invisible code on all my links on my site. I have no idea how to fix it and I’ve already emailed myspace about it and still no reply. I need major help!
I recently logged into my accounrt and all of my friends have disappeared?? I do not not if this is an act of phishing, or getting a worm?? I need your help, please if there is any information help me!!!
Hello, I dont dnow why my myspace is so strange… whenever I want to edit my profile it wont let me, or people dont recieve my messages or comments, they also cant see my friend requests. All of the sudden, it wont let me post pictures in my comments either. And sometimes, my profile will go back to its original plain “mode”.
every time i try to log in to myspace a big purple mouse called steven runs across the screen singing “o when the saints”
does anyone know what i can do its getting quite annoying email me at iloverimming69style@yahoo.co.uk thanks
joe
Well,that sucks.
As of four days ago, I couldn’t login to the MS account. I can still see it from a “band” account, so it isn’t TOS deletion. Of course, eventually it asked me to enter the captcha codes, still no go and then lockout for too many attempts. I have a feeling that tech support is all bots. No response. Worse, the account in question is linked to an old, dead email address. (I know, I know). Anybody else having these “sit tight” problems? The MySpace Help profile listed login issues for two straight days but they are no longer listed. Thanks all.
Hello! Help solve the problem.
Very often try to enter the site, but says that the password is not correct.
Regrettably use of remembering. Give like to be?
Thank you!
I have been trying to contact myspace regarding my account. I made the attempt to change my email address this past sunday and thought I was successful. Received the email from them with the confirmation code etc… well… now I can’t even get into the account with either email address, and when I go to see if maybe I the password was changed or somthing… It says that both email addresses are not valid. I have emailed them several times and don’t know what to do . Could you help me and let me know how I can get this resolved or even get the stupid thing deleted and start over. Just send me an email~!! TIA!!
YOOO!! i wuz on my myspace last night nd it sayz i got phished nd i havta change my password but everytime i try it says passwords dont match… BUT THEY DO!!! ive done it lik a million times ive tried changin my email nd eveything but still it wont work. wut should i do???
you should wait and eat lard and cake and drink tea
Kaspersky reveals this worm?
Note from LoLo:
No. The worm doesn’t infect your system. I’m sure Kaspersky flags Zango for the BS it is though.
Yeah, apparently this stuff isn’t going to stop anytime soon since this started in ‘06 and it’s still going on.
ok, i got phished today.
i changed my password but it wont work.
my safe mode is hidden now. i cant get to it.
its not possible to go to edit profile bc of the spammer so there is nothing i can do! same thing happened to my brother can anyone please help!
i was not hacked……..( well not yet). i am not alowed to be on myspace… that is what my dad says and he is an asswhole any ways!!!!!…. well idk why.
no one knows my p-word any ways becides me….. well at least i think soo…
Speak Your Mind