QuickTime Embeds: MySpace Spammers New Best Friend

After getting hit with the Flying Spaghetti Monster Worm (NSFW-ish link), 9/11 Worm, and approximately a gazillion billion members were infected with adware by downloading some garbage after being auto-redirected to fake MySpace IM & Porn Sites; MySpace implemented their Flash 9 security update in July. Sure, this was a major blow to the legit companies who feed the MySpace beast with widgets, but at least it slowed down the MySpace-to-SpamSpace morph. Since that time, MySpace has been hit by a number of small worms that employed Javascript workarounds, but those only required small patches to send them the way of the dinosaurs.

Now, spammers have found a new best friend: QuickTime Embeds that auto-redirect to the url of their choosing. This morning I logged into my MySpace and saw the following bulletin:

Title:
OMG!! UNLIMITED ringtones for ur phone!!!d0244

Body:
This site is a fukin ringtone GOLDMINE!!! I have no idea how they get away with this!!! Click on the link below to check it out!

http://profile.myspace.com/(url-truncated)&friendid=2a690aa49d


The bulletin was not posted by the owner of the account which it was sent from. The spammer posted it from his account after phishing him.

The “d0244″ at the end of the title and the bogus friend ID (2a690aa49d) on that hyperlink’s anchor text are randomly generated text that goes out with each bulletin in order to make each one unique to avoid MySpace’s spam filter. Each bulletin? Yeah, turds like this send spam from hundreds of Phished MySpace accounts at once by setting up the account chaining feature that is available on MySpace bot programs.

Anyhoo, when I visited the MySpace url linked to in that bulletin I landed on a profile that had a short little QuickTime movie embedded on it that redirected me to an affiliate landing page being used to market Jamster Ringtones.

It’s easy to set WMVs to launch a url at any point during a video, but Window’s default security settings prevent these from being effective. I didn’t know that QuickTime movies aren’t blocked from doing the same thing. This little tidbit of info might end up being very problematic for MySpace starting right about… Now. Being able to automatically launch urls from a person’s browser while they are logged into MySpace opens up the door to rampant worms and self-spreading spam once again.

So, did you track down this particular spammer and piss in his cornflakes?

You bet your sweet ass I did. I downloaded the QuickTime movie that was embedded on that MySpace profile and took a look at it in a text editor. That revealed the affiliate link that it was launching. From there I was able to track down which CPA affiliate network this spammer is sending his traffic to Jamster through. I sent a email to the “report abuse” address of that network’s parent company and CC-ed it to their Marketing Director, Public Relations Manager, and to the info address over at Jamster.

Here’s the email I sent them:

Subject:
Major abuse report. *Reply Requested*

Body:
Hey,

One of your CPAEmpire affiliates has created a QuickTime movie that
auto-redirects a browser to the “JAMSTER! USA – Ringtone Super Site
(3294)” campaign on your network. The affiliate in question is
embedding this movie into fake MySpace profiles and pumping traffic to
them by spamming the MySpace bulletin area from accounts he/she
compromised via phishing (spoof MySpace log-in pages).

An example of such a MySpace profile can be found here:

http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=127979848

That profile might be deleted by the time you read this. The QuickTime
movie that is/was embedded on it can be found here (I also attached it
to this e-mail):

http://www.arcadealert.com/jamster.mov

The domain it is hosted on; predictably enough, is registered
privately via “Domains by Proxy, Inc”.

http://www.dnsstuff.com/tools/whois.ch?ip=www.arcadealert.com&src=ShowIP

When viewing the QuickTime movie in any text editor you can see that
the url it is redirecting traffic to is:

http://ekmas.com/ez/bvynkdfsqevy/&dp=410768&l=0&p=0

I will be posting a blog entry about this today and would appreciate a
response detailing how you plan to deal with this situation ASAP.
After receiving your response, I will update my blog entry with it.

Best Regards,
LoLo


It’ll be interesting to see how they react to that message. If they send anything my way I’ll post it here.

Update:
Not long after posting this blog entry the affiliate link that the QuickTime movie was sending traffic to died. When you visit the link now you get redirected to a page which says “This affiliate account has been terminated due to violation of our policies”.

Fair enough, right? Wrong.
The spammer in question is still doing the exact same thing from a different CPAEmpire affiliate account. Everything is the exact same except the affiliate tracking url the movie is redirecting traffic to. It’s now pumping traffic to that Jamster landing page via this url:

http://ekmas.com/ez/ckkqnlpizaks/&dp=422658&l=0&p=0

And, CPAEmpire set my affiliate account to inactive status. I’ve had that account with them for over a year, but never sent them any traffic. So… It’s not really a big deal. It’s just interesting to note that they obviously don’t want me poking around their site. Something sure smells scum-tastic to me.

I just sent them the following message. Once again I CC-ed to to all the key players.

Hello again,

Yesterday I sent over the below abuse report. Since that time I see
that the tracking url he/she was sending the traffic to now redirects
to http://www.optinbig.com/terminated.html which says that his/her
affiliate account has been terminated.

Well, the affiliate in question is doing the exact same thing from a
different account now. The tracking url in the movie has been changed
to:

http://ekmas.com/ez/ckkqnlpizaks/&dp=422658&l=0&p=0

I find it interesting that you guys ignored my “reply request” and
have given me the silent treatment. I also find it interesting that
the affiliate account I’ve had with you guys for over a year now has
been set to inactive and I can no longer log in as I did yesterday
when looking into this matter. Sure, I never sent you guys any traffic
so it’s a “no harm, no foul” kinda issue, but it sure doesn’t paint a
pretty picture of your organization.

Again, I ask that you reply to this message and let me know what is
going to be done about this affiliate. I also ask that you reveal
his/her identity.

Best Regards,
LoLo

I seriously doubt that I’ll get a response from them. At the very least, it’ll be interesting to see how this plays out. I’ll continue to update this blog entry with any new developments.

13 thoughts on “QuickTime Embeds: MySpace Spammers New Best Friend”

  1. Thanks so much for all of your hard work to keep these scum bags at bay! You do all of the dirty work no one else dares to! Rock on LoLo!

  2. I wasn’t aware you could put a link inside a movie. however I did know you could redirect people via a autohref in a quicktime embed. and myspace still does not block that code.

  3. I was under the assumption that ekmas.com is owned by CPAEmpire (optinbig? same thing.)

    They’ve been one of the largest spammers for months.. and the links never die. I could be wrong, but I’m pretty sure CPAEmp is doing some phishing/spamming of their own.

  4. okay cool, now check it out. I got an ipod,needed itunes to import my cd’s to mp3 ,I didnt want the quicktime But i need it to run with iTunes. I also have an account w/ myspace but where i use to have a song playing with a player i was using from songarea.com it is now a stupid Q and no song

  5. puklhlvbfg++%5BURL%3D+http%3A%2F%2Fnvbhtsasdfdf.com.com+%5Dpuklhlvbfg%5B%2FURL%5D+%0A++%3Ca+href%3D+http%3A%2F%2Fnvbhtsasdfdf.com.net+%3Epuklhlvbfg%3C%2Fa%3E++catalog%0A++http%3A%2F%2Fnvbhtsasdfdf.com.org+puklhlvbfg++in+here%0Ag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>