GhettoWebmaster.com

LoLo’s safe for work blog about Internet scams, deceptive marketing, spam, spyware, adware, and other asshatery.

  • Home
  • About Me
  • Contact
  • Press Coverage

27

Jan

Porn Site Hacked, 16K Emails Snatched, Epic Fail at PayPal Phishing Attempt

Posted by LoLo  Published in Hacking, Phishing, Porn, Spam

Friday morning I got an interesting email…

PayPal Phishing Email

Looks like a typical phishing email, right? Sure. There were two things that got my attention though…

1. It got through Gmail’s spam filter.
2. The link went to PayPal’s real login page. WTF?

Usually, a phishing email will use the correct address as the anchor text of a spoof log-in page link. Simply mousing over such a link reveals the true link in your status bar though. So, it’s fairly easy even for a novice computer user to spot as BS.

Example:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Viewing the source code of the original email revealed an epic fail.

<a class="Style5 Style2"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'; return true" onmouseout="window.status="" target="_blank" href="http://pimpyaho.com/functions/us/"> <font size=3D"2">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run</font></a> </font>

The above shows that this retard was trying the old use JavaScript to make the status bar display whatever you want trick. Too bad for this idiot, modern email clients filter JavaScript. In both Gmail and Yahoo that code ended up looking like the below.

<a href="http://pimpyaho.com/functions/us/" target="_blank"><font size="2"></font></a>
<font size="2"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" target="_blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

Epic Fail So, the link ended up pointing to the real PayPal login. Epic fail, indeed.

Digging further, I saw that the phishing page he intended to send people to was on a porn site. The site is part of a lucrative network owned by a guy whom I made an ad buy from in the past. His ad system requires a person to sign up as a regular member of his site before making a purchase. This explained how I ended up getting that email. His user database had obviously been compromised.

I posted some info about this mess on a forum he hangs out on to make sure he knew what was happening and to get more info.

Here’s the skinny:

1. Homeboy hired an outside company to develop a bespoke chat solution for one of the sites sitting on that server.

2. Said company was given shell access to speed up the delivery of the product, etc.

3. A shoutcast server magically began running on the server - pushing 25Mbit of bandwidth.
Side note: The files had been removed so there was no shoutcast config. Once shoutcast has been started, it doesn’t require its own files in Linux to continue to run, so they were obviously removed in an attempt to hide it.

4. “[After discovering / removing the phishing setup] the files popped back [within seconds]… I then shut down pimpyaho.com, so the site physically wasn’t running… still the files came back. This meant the user HAD to have some sort of shell access.”

5. “Have now sorted the breach and made sure it can’t happen again. I can tell you that they managed to get hold of around 16,000 email addresses, however the [other site’s user] database is up around 80k, so at least they didn’t get hold of that.”

Ouchness++

no comment

2

May

Hot or Not Revamped: Script Kiddies and Spammers Paradise

Posted by LoLo  Published in Code, Hacking, Spam, Worms

Jim and James over at HotOrNot.com just made some major changes…

Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)

We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!

The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.

After giving myself a two minute self tour, this is what I discovered and was able to do:

The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.


continue reading "Hot or Not Revamped: Script Kiddies and Spammers Paradise"

20 comments

21

Apr

Online Jihad: Porn site hacked on Easter Sunday

Posted by LoLo  Published in Hacking, Porn

* Links which are not safe for viewing at work are marked as “NSFW” *

The gist:
My buddy Rudy runs one of the many porn site YouTube clones, xxxuploads.com (NSFW). On Easter Sunday he woke up to all sorts of fun. His two media servers had been hacked and over 7500 videos were deleted. The only thing left on those subdomains were index pages entitled “STOP PORNO” with the below message and Muslim Prayer Call video embedded from YouTube:

In the name of Allah, Most Gracious, Most Merciful

No big deal. He could surely just restore everything from his backups, right? Wrong. His admin set them up wrong, so nothing had ever been backed up. Well, couldn’t he just do a restore? Nopers, those boxes were setup with ext3 filesystems. So, he had to start from scratch and all the sites that have pre-hack videos embedded from his site are screwed.

How it was done:
The sysadmin went through the logs and there was no evidence of anyone logging in via SSH or anything like that. His best guess is that they gained FTP access via a proftpd exploit.


continue reading "Online Jihad: Porn site hacked on Easter Sunday"

39 comments

30

Nov

MySpace Worm: Phishing Accounts and Spreading Zango Porn

Posted by LoLo  Published in Adware, Code, Hacking, MySpace, Phishing, Worms, Zango

Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.


continue reading "MySpace Worm: Phishing Accounts and Spreading Zango Porn"

68 comments

Search

Categories

  • Adware (4)
  • Code (3)
  • Fraud (1)
  • General (5)
  • Google (1)
  • Hacking (4)
  • Legal (4)
  • Marketing (1)
  • MySpace (24)
  • Parenting 2.0 (1)
  • Phishing (3)
  • Porn (4)
  • Spam (7)
  • Video (1)
  • Wordpress (1)
  • Worms (4)
  • YouTube (1)
  • Zango (5)

My Hood

  • MySpace Hear Anyone?
  • My MySpace
  • My FaceBook
  • RetardedTShirts.com
  • BurntPickle.com (NSFW)
  • AdultJokes.com (NSFW)
  • DearFEMA.com

Subscribe

  • Main Entries Rss
  • Comments Rss

Archives

  • March 2008 (1)
  • February 2008 (4)
  • January 2008 (7)
  • November 2007 (3)
  • September 2007 (1)
  • July 2007 (2)
  • June 2007 (2)
  • May 2007 (4)
  • April 2007 (4)
  • March 2007 (1)
  • February 2007 (1)
  • January 2007 (3)
  • December 2006 (1)
  • November 2006 (2)
  • October 2006 (2)

Caveat Emptor

Recent Posts

  • Financial Site: Open to XSS Attacks and Other Hacks
  • MySpace Censorship: Filtering Images Gone Wild
  • Symantec found over 5 million phishing urls posted on MySpace
  • US Airways wants me to get you sick, today.
  • Strange Google Results
  • Florida Cybercrimes Unit Hiding Evidence - Self Pwnage
  • Snopes.com: Rumor has it that they are funded by AdWare
  • Porn Site Hacked, 16K Emails Snatched, Epic Fail at PayPal Phishing Attempt
  • Florida Cybercrimes: See how ludicrous this thing is?
  • MySpace Spamming Botnet setup in development?

Recent Comments

  • marty: Thank you so much!!!!!!!!! I’m One of thoes fast typers that could have very eaisly fallen prey to some son of a...
  • unknown soldier: Actually Tom never got hacked, myspace was just testing out new spam comments, they were after all started by...
  • tiffany: no one knows my p-word any ways becides me….. well at least i think soo…
  • tiffany: i was not hacked……..( well not yet). i am not alowed to be on myspace… that is what my dad says and...
  • The Guy your mom warned you about: Damn, too bad I’m retired ;-) But seriously, to all those who think Lolo is...
  • LoLo: I’ve just been taking a break of sorts from the net to get some off-line things in order. This post will be the...

Caveat Emptor

© Copyright 2006 - Present | All Rights Reserved by LoLo
Powered by WordPress Theme by Wired Studios