QuickTime Embeds: MySpace Spammers New Best Friend
Now, spammers have found a new best friend: QuickTime Embeds that auto-redirect to the url of their choosing. This morning I logged into my MySpace and saw the following bulletin:
OMG!! UNLIMITED ringtones for ur phone!!!d0244
This site is a fukin ringtone GOLDMINE!!! I have no idea how they get away with this!!! Click on the link below to check it out!
The bulletin was not posted by the owner of the account which it was sent from. The spammer posted it from his account after phishing him.
The “d0244″ at the end of the title and the bogus friend ID (2a690aa49d) on that hyperlink’s anchor text are randomly generated text that goes out with each bulletin in order to make each one unique to avoid MySpace’s spam filter. Each bulletin? Yeah, turds like this send spam from hundreds of Phished MySpace accounts at once by setting up the account chaining feature that is available on MySpace bot programs.
Anyhoo, when I visited the MySpace url linked to in that bulletin I landed on a profile that had a short little QuickTime movie embedded on it that redirected me to an affiliate landing page being used to market Jamster Ringtones.
It’s easy to set WMVs to launch a url at any point during a video, but Window’s default security settings prevent these from being effective. I didn’t know that QuickTime movies aren’t blocked from doing the same thing. This little tidbit of info might end up being very problematic for MySpace starting right about… Now. Being able to automatically launch urls from a person’s browser while they are logged into MySpace opens up the door to rampant worms and self-spreading spam once again.
So, did you track down this particular spammer and piss in his cornflakes?
You bet your sweet ass I did. I downloaded the QuickTime movie that was embedded on that MySpace profile and took a look at it in a text editor. That revealed the affiliate link that it was launching. From there I was able to track down which CPA affiliate network this spammer is sending his traffic to Jamster through. I sent a email to the “report abuse” address of that network’s parent company and CC-ed it to their Marketing Director, Public Relations Manager, and to the info address over at Jamster.
Here’s the email I sent them:
Major abuse report. *Reply Requested*
One of your CPAEmpire affiliates has created a QuickTime movie that
auto-redirects a browser to the “JAMSTER! USA – Ringtone Super Site
(3294)” campaign on your network. The affiliate in question is
embedding this movie into fake MySpace profiles and pumping traffic to
them by spamming the MySpace bulletin area from accounts he/she
compromised via phishing (spoof MySpace log-in pages).
An example of such a MySpace profile can be found here:
That profile might be deleted by the time you read this. The QuickTime
movie that is/was embedded on it can be found here (I also attached it
to this e-mail):
The domain it is hosted on; predictably enough, is registered
privately via “Domains by Proxy, Inc”.
When viewing the QuickTime movie in any text editor you can see that
the url it is redirecting traffic to is:
I will be posting a blog entry about this today and would appreciate a
response detailing how you plan to deal with this situation ASAP.
After receiving your response, I will update my blog entry with it.
It’ll be interesting to see how they react to that message. If they send anything my way I’ll post it here.
Not long after posting this blog entry the affiliate link that the QuickTime movie was sending traffic to died. When you visit the link now you get redirected to a page which says “This affiliate account has been terminated due to violation of our policies”.
Fair enough, right? Wrong.
The spammer in question is still doing the exact same thing from a different CPAEmpire affiliate account. Everything is the exact same except the affiliate tracking url the movie is redirecting traffic to. It’s now pumping traffic to that Jamster landing page via this url:
And, CPAEmpire set my affiliate account to inactive status. I’ve had that account with them for over a year, but never sent them any traffic. So… It’s not really a big deal. It’s just interesting to note that they obviously don’t want me poking around their site. Something sure smells scum-tastic to me.
I just sent them the following message. Once again I CC-ed to to all the key players.
Yesterday I sent over the below abuse report. Since that time I see
that the tracking url he/she was sending the traffic to now redirects
to http://www.optinbig.com/terminated.html which says that his/her
affiliate account has been terminated.
Well, the affiliate in question is doing the exact same thing from a
different account now. The tracking url in the movie has been changed
I find it interesting that you guys ignored my “reply request” and
have given me the silent treatment. I also find it interesting that
the affiliate account I’ve had with you guys for over a year now has
been set to inactive and I can no longer log in as I did yesterday
when looking into this matter. Sure, I never sent you guys any traffic
so it’s a “no harm, no foul” kinda issue, but it sure doesn’t paint a
pretty picture of your organization.
Again, I ask that you reply to this message and let me know what is
going to be done about this affiliate. I also ask that you reveal
I seriously doubt that I’ll get a response from them. At the very least, it’ll be interesting to see how this plays out. I’ll continue to update this blog entry with any new developments.