GhettoWebmaster.com

…yet their blog entry about this missed some key points. And, it’s odd that they were reluctant to post all the information on their findings: full urls, search strings used to get those numbers, the “certain social networking site” in question when they were clearly writing about MySpace, etc. Such cloak and dagger stuff isn’t productive and it caused legitimate confusion among other security researchers. Silly Symantec.

The Basic Gist:

• URLs on some nondescript numeric .cn domains (91872802.cn, 5187622.cn, etc) are being used as landing pages for a phishing campaign on MySpace.
• The urls are structured via subdomain usage in a way so that they mimic legitimate MySpace profile urls with the second-level domain / numeric portion serving as the spoof MySpace friend ID number…
  Real profile url structure:
  profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]
  Fake profile / phishing page url structure:
  profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.[.cn domain]
• Said urls are posted (typically as text) along with some teaser text in the comment section of MySpace user profiles from accounts on their friend list which have already been compromised.
• Besides hosting the spoof login pages, those urls are packed with some other nasty exploits aimed at fuckerizing (technical speak :P) a visitor’s PC.

Key Points Symantec Missed:

• By posting the urls as text (forcing users to cut and paste them into their browser’s address bar) this phishing campaign slips right past MySpace’s (thus far extremely ineffective and counterproductive) link filtering and external link warning page nonsense.
• The bad guys have sank to a whole new yet extremely effective level with varying teaser text suggesting that the link goes to the profile of a recently deceased MySpace user…

  

  Such text is sure to generate more interest in the spoof login url from passersby who are stalking taking a look at someone’s profile.

• There is a slight variation going around where that it’s an actual link using a properly structured MySpace profile url as the anchor text. And, it completely circumvents MySpace’s filtering and external link warning when clicked via one of many methods currently being employed by MySpace spammers.

  Example:
  http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]

  In action, the above link would contain some extra code which allows it to be posted on MySpace without being converted into a msplinks.com link (MySpace’s lackluster url filtering solution). By default, this also bypasses MySpace’s new external link warning:

  

  Since MySpace users are accustomed to external links being converted into MSPLinks.com links and having to pass through that new warning page, malicious links coded to circumvent those systems appear to be legitimate internal MySpace urls.

• Some might argue that the urls posted as text cannot be as effective as clickable links since they require a MySpace user to cut and paste the url into their address bar. This is true to a point but MySpace’s insanely glitchy link filtering solution regularly filters non-malicious urls. This has created an environment where that some MySpace users familiar with this issue simply post urls as text to avoid any possible filtering. So, many users are now accustomed to copying and pasting urls posted as text.

Symantec’s Numbers:
They got their “more than five million” figure by simply doing an internal MySpace search (powered by Google) with “profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.” (with quotes) as the search string. When I did the same search the results were numbered at 5,490,000.

In Summary:
MySpace’s ill-fated security measures are adding perceived legitimacy to this widespread phishing scheme. Symantec left a bunch of security researchers scratching their heads by posting an oddly goofy blog entry. And, ninjas are freaking awesome.