GhettoWebmaster.com

…yet their blog entry about this missed some key points. And, it’s odd that they were reluctant to post all the information on their findings: full urls, search strings used to get those numbers, the “certain social networking site” in question when they were clearly writing about MySpace, etc. Such cloak and dagger stuff isn’t productive and it caused legitimate confusion among other security researchers. Silly Symantec.

The Basic Gist:

• URLs on some nondescript numeric .cn domains (91872802.cn, 5187622.cn, etc) are being used as landing pages for a phishing campaign on MySpace.
• The urls are structured via subdomain usage in a way so that they mimic legitimate MySpace profile urls with the second-level domain / numeric portion serving as the spoof MySpace friend ID number…
  Real profile url structure:
  profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]
  Fake profile / phishing page url structure:
  profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.[.cn domain]
• Said urls are posted (typically as text) along with some teaser text in the comment section of MySpace user profiles from accounts on their friend list which have already been compromised.
• Besides hosting the spoof login pages, those urls are packed with some other nasty exploits aimed at fuckerizing (technical speak :P) a visitor’s PC.

Key Points Symantec Missed:

• By posting the urls as text (forcing users to cut and paste them into their browser’s address bar) this phishing campaign slips right past MySpace’s (thus far extremely ineffective and counterproductive) link filtering and external link warning page nonsense.
• The bad guys have sank to a whole new yet extremely effective level with varying teaser text suggesting that the link goes to the profile of a recently deceased MySpace user…

  

  Such text is sure to generate more interest in the spoof login url from passersby who are stalking taking a look at someone’s profile.

• There is a slight variation going around where that it’s an actual link using a properly structured MySpace profile url as the anchor text. And, it completely circumvents MySpace’s filtering and external link warning when clicked via one of many methods currently being employed by MySpace spammers.

  Example:
  http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendid=[ID #]

  In action, the above link would contain some extra code which allows it to be posted on MySpace without being converted into a msplinks.com link (MySpace’s lackluster url filtering solution). By default, this also bypasses MySpace’s new external link warning:

  

  Since MySpace users are accustomed to external links being converted into MSPLinks.com links and having to pass through that new warning page, malicious links coded to circumvent those systems appear to be legitimate internal MySpace urls.

• Some might argue that the urls posted as text cannot be as effective as clickable links since they require a MySpace user to cut and paste the url into their address bar. This is true to a point but MySpace’s insanely glitchy link filtering solution regularly filters non-malicious urls. This has created an environment where that some MySpace users familiar with this issue simply post urls as text to avoid any possible filtering. So, many users are now accustomed to copying and pasting urls posted as text.

Symantec’s Numbers:
They got their “more than five million” figure by simply doing an internal MySpace search (powered by Google) with “profile.myspace.com.index.cfm.fuseaction.user.viewprofile.friendid.” (with quotes) as the search string. When I did the same search the results were numbered at 5,490,000.

In Summary:
MySpace’s ill-fated security measures are adding perceived legitimacy to this widespread phishing scheme. Symantec left a bunch of security researchers scratching their heads by posting an oddly goofy blog entry. And, ninjas are freaking awesome.

Friday morning I got an interesting email…

Looks like a typical phishing email, right? Sure. There were two things that got my attention though…

1. It got through Gmail’s spam filter.
2. The link went to PayPal’s real login page. WTF?

Usually, a phishing email will use the correct address as the anchor text of a spoof log-in page link. Simply mousing over such a link reveals the true link in your status bar though. So, it’s fairly easy even for a novice computer user to spot as BS.

Example:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Viewing the source code of the original email revealed an epic fail.

<a class="Style5 Style2"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'; return true" onmouseout="window.status=''" target="_blank" href="http://pimpyaho.com/functions/us/"> <font size=3D"2">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run</font></a> </font>

The above shows that this retard was trying the old use JavaScript to make the status bar display whatever you want trick. Too bad for this idiot, modern email clients filter JavaScript. In both Gmail and Yahoo that code ended up looking like the below.

<a href="http://pimpyaho.com/functions/us/" target="_blank"><font size="2"></font></a>
<font size="2"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" target="_blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

So, the link ended up pointing to the real PayPal login. Epic fail, indeed.

Digging further, I saw that the phishing page he intended to send people to was on a porn site. The site is part of a lucrative network owned by a guy whom I made an ad buy from in the past. His ad system requires a person to sign up as a regular member of his site before making a purchase. This explained how I ended up getting that email. His user database had obviously been compromised.

I posted some info about this mess on a forum he hangs out on to make sure he knew what was happening and to get more info.

Here’s the skinny:

1. Homeboy hired an outside company to develop a bespoke chat solution for one of the sites sitting on that server.

2. Said company was given shell access to speed up the delivery of the product, etc.

3. A shoutcast server magically began running on the server – pushing 25Mbit of bandwidth.
Side note: The files had been removed so there was no shoutcast config. Once shoutcast has been started, it doesn’t require its own files in Linux to continue to run, so they were obviously removed in an attempt to hide it.

4. “[After discovering / removing the phishing setup] the files popped back [within seconds]… I then shut down pimpyaho.com, so the site physically wasn’t running… still the files came back. This meant the user HAD to have some sort of shell access.”

5. “Have now sorted the breach and made sure it can’t happen again. I can tell you that they managed to get hold of around 16,000 email addresses, however the [other site's user] database is up around 80k, so at least they didn’t get hold of that.”

Ouchness++

Yesterday, a metric ton of MySpace accounts were infected with yet another worm. As I predicted ten days ago, it was accomplished via a QuickTime embed. Visiting the profile of anyone infected would cause the navigation links across the top of your profile (Home | Browse | Search | Invite | etc…) to be replaced by fake navigation links which all linked to a spoof MySpace login page via some basic CSS and HTML added to your “About Me” section. And, the QuickTime embed was added to one of your “Interests” sections to further propagate this worm / phishing attack. At a glance, this looked like nothing more than that: a worm being used to phish MySpace passwords.

Read more…