GhettoWebmaster.com

Last night The X-Generation of Smileys messaged me with what I assumed to be total BS / lameness…

Check this out, there’s a profile with a Gucci bag spam comment from Tom.

I’ve seen fake Tom comments, bulletins, blog entries, and forum posts on MySpace a zillion times. The better ones use various CSS / HTML hackery to make his avatar link back to his real profile and everything. So, it’s not uncommon for MySpace users to think that spam is being posted from Tom Anderson’s real account. The guy who sent that message over isn’t an eTard though, so I checked out the profile in question via the blog that first posted the link.

After looking over the source of that page, I can assure you that the comment spam was posted from Tom’s real account.

LOLz!!!1 Tom just got totally pwned, right?

Not really. The MySpace security team just got pwned. This is a huge slap in the face to the company lines they use when asked about such problems, especially the “we have a good team on it” one. That’s a topic for another time though.

So, how did this happen?
Randomly… The comment is a month old so it’d take too much effort on my part to nail down exactly what happened. It certainly wasn’t anything planned for Tom though. He simply visited an infected page on MySpace or an external site while logged into his account. We’ve all seen such stuff plenty of times before. I’m not sure if the scripting on said page was set up to propagate in typical worm fashion or just do a quick one shot kinda deal. Either way, that’s what happened. The only other three insanely remote possibilities are… 1. He had his cookies jacked from a browser session. 2. He fell for a spoof login page and got phished. 3. It was a alien conspiracy carried out by Bigfoot in response to the truth about the Titanic.

Well, who randomly pulled this off?
In spite of the asshat hiding behind a whole lot of lameness, he was a piece of cake to nail down. Like, so…

- The “Free Gucci Bag” links in that spam comment were linked to orderbuzz.com which is registered privately. And, I’d bet my left nut that the hosting account is in a bogus name / paid for from a throwaway account of some sort. Otherwise he wouldn’t bother trying so hard to hide this next bit of info…
- OrderBuzz.com simply loads up that BS Gucci “offer” landing page in a frame or forwards you over to it – depending on your browser setup. And, the affiliate tracking link is masked via hexadecimal url encoding. Apparently this was enough to have MySpace throw in the towel and call it a day on this guy – if they even bothered to look that far.

Dear MySpace insecurity team,
All that %68%74%74 junk translates into http://millnicmedia.directtrack.com/sw/4999/CD69/

http:// millnicmedia . directtrack .com/sw/4999/ CD69 /

That’s clearly affiliate ID #69 from Millnic Media who use the Direct Track affiliate script. You might want to give them a shout. I know that you haven’t done so already since that ID is still active on their network. It’s either them pretending to be a rogue affiliate on their own network or the real deal. Either way, they know who it is.

P.S.
If your legal team is every bit as competent as your security guys, just go ahead and firebomb the data centers you host out of. It’ll make this a lot quicker for all of us.