GhettoWebmaster.com

Email I just received:

Dear LoLo,

We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.

We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.

We sincerely regret any inconvenience or disruption this may cause.

If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html

For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262

Thank you for your understanding,

Michael Culver
Vice President
Elance

————————————-

From their page with info on the hack:

“The hackers accessed a user data table that contained contact information including name, email address, telephone number, city location, and log-in information.”

^^ Always use different passwords for every site reason number 10,467.

I imagine someone is working on a little data scraping script to get the demographic information associated with all of those Elance accounts. They will likely break the emails up into niche lists and then sell them off to email spammers. If you see any email lists for say 6,000+ ASP developers you can have one guess on where it came from.

Additional coverage:
TechCrunch: Elance Hit By Security Breach

Friday morning I got an interesting email…

Looks like a typical phishing email, right? Sure. There were two things that got my attention though…

1. It got through Gmail’s spam filter.
2. The link went to PayPal’s real login page. WTF?

Usually, a phishing email will use the correct address as the anchor text of a spoof log-in page link. Simply mousing over such a link reveals the true link in your status bar though. So, it’s fairly easy even for a novice computer user to spot as BS.

Example:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Viewing the source code of the original email revealed an epic fail.

<a class="Style5 Style2"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'; return true" onmouseout="window.status=''" target="_blank" href="http://pimpyaho.com/functions/us/"> <font size=3D"2">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run</font></a> </font>

The above shows that this retard was trying the old use JavaScript to make the status bar display whatever you want trick. Too bad for this idiot, modern email clients filter JavaScript. In both Gmail and Yahoo that code ended up looking like the below.

<a href="http://pimpyaho.com/functions/us/" target="_blank"><font size="2"></font></a>
<font size="2"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" target="_blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

So, the link ended up pointing to the real PayPal login. Epic fail, indeed.

Digging further, I saw that the phishing page he intended to send people to was on a porn site. The site is part of a lucrative network owned by a guy whom I made an ad buy from in the past. His ad system requires a person to sign up as a regular member of his site before making a purchase. This explained how I ended up getting that email. His user database had obviously been compromised.

I posted some info about this mess on a forum he hangs out on to make sure he knew what was happening and to get more info.

Here’s the skinny:

1. Homeboy hired an outside company to develop a bespoke chat solution for one of the sites sitting on that server.

2. Said company was given shell access to speed up the delivery of the product, etc.

3. A shoutcast server magically began running on the server – pushing 25Mbit of bandwidth.
Side note: The files had been removed so there was no shoutcast config. Once shoutcast has been started, it doesn’t require its own files in Linux to continue to run, so they were obviously removed in an attempt to hide it.

4. “[After discovering / removing the phishing setup] the files popped back [within seconds]… I then shut down pimpyaho.com, so the site physically wasn’t running… still the files came back. This meant the user HAD to have some sort of shell access.”

5. “Have now sorted the breach and made sure it can’t happen again. I can tell you that they managed to get hold of around 16,000 email addresses, however the [other site's user] database is up around 80k, so at least they didn’t get hold of that.”

Ouchness++

Jim and James over at HotOrNot.com just made some major changes…

Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)

We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!

The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.

After giving myself a two minute self tour, this is what I discovered and was able to do:

The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.

Read more…

* Links which are not safe for viewing at work are marked as “NSFW” *

The gist:
My buddy Rudy runs one of the many porn site YouTube clones, xxxuploads.com (NSFW). On Easter Sunday he woke up to all sorts of fun. His two media servers had been hacked and over 7500 videos were deleted. The only thing left on those subdomains were index pages entitled “STOP PORNO” with the below message and Muslim Prayer Call video embedded from YouTube:

In the name of Allah, Most Gracious, Most Merciful

No big deal. He could surely just restore everything from his backups, right? Wrong. His admin set them up wrong, so nothing had ever been backed up. Well, couldn’t he just do a restore? Nopers, those boxes were setup with ext3 filesystems. So, he had to start from scratch and all the sites that have pre-hack videos embedded from his site are screwed.

How it was done:
The sysadmin went through the logs and there was no evidence of anyone logging in via SSH or anything like that. His best guess is that they gained FTP access via a proftpd exploit.

Read more…

Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.

Read more…