GhettoWebmaster.com

Friday morning I got an interesting email…

Looks like a typical phishing email, right? Sure. There were two things that got my attention though…

1. It got through Gmail’s spam filter.
2. The link went to PayPal’s real login page. WTF?

Usually, a phishing email will use the correct address as the anchor text of a spoof log-in page link. Simply mousing over such a link reveals the true link in your status bar though. So, it’s fairly easy even for a novice computer user to spot as BS.

Example:
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

Viewing the source code of the original email revealed an epic fail.

<a class="Style5 Style2"
onmouseover="window.status='https://www.paypal.com/cgi-bin/webscr?cmd=_login-run'; return true" onmouseout="window.status=''" target="_blank" href="http://pimpyaho.com/functions/us/"> <font size=3D"2">https://www.paypal.com/cgi-bin/webscr?cmd=3D_login-run</font></a> </font>

The above shows that this retard was trying the old use JavaScript to make the status bar display whatever you want trick. Too bad for this idiot, modern email clients filter JavaScript. In both Gmail and Yahoo that code ended up looking like the below.

<a href="http://pimpyaho.com/functions/us/" target="_blank"><font size="2"></font></a>
<font size="2"><a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" target="_blank">https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

So, the link ended up pointing to the real PayPal login. Epic fail, indeed.

Digging further, I saw that the phishing page he intended to send people to was on a porn site. The site is part of a lucrative network owned by a guy whom I made an ad buy from in the past. His ad system requires a person to sign up as a regular member of his site before making a purchase. This explained how I ended up getting that email. His user database had obviously been compromised.

I posted some info about this mess on a forum he hangs out on to make sure he knew what was happening and to get more info.

Here’s the skinny:

1. Homeboy hired an outside company to develop a bespoke chat solution for one of the sites sitting on that server.

2. Said company was given shell access to speed up the delivery of the product, etc.

3. A shoutcast server magically began running on the server – pushing 25Mbit of bandwidth.
Side note: The files had been removed so there was no shoutcast config. Once shoutcast has been started, it doesn’t require its own files in Linux to continue to run, so they were obviously removed in an attempt to hide it.

4. “[After discovering / removing the phishing setup] the files popped back [within seconds]… I then shut down pimpyaho.com, so the site physically wasn’t running… still the files came back. This meant the user HAD to have some sort of shell access.”

5. “Have now sorted the breach and made sure it can’t happen again. I can tell you that they managed to get hold of around 16,000 email addresses, however the [other site's user] database is up around 80k, so at least they didn’t get hold of that.”

Ouchness++

That’s right kiddos, “Pump and Dump” is used to describe more than the ageless mating practice enjoyed by alpha males. It’s also used to describe a form of Microcap stock fraud. In both scenarios: people are sold a dream, fucked, and then left standing there with sad looks on their faces.

On Sunday afternoon I was helping my cousin and her husband move when her friend walked up talking about a bunch of crazy text messages she had gotten on her cell phone. Being the ex douche bag that I am, I was singled out to explain what was going on. The messages were written to appear as if they had been sent to the wrong person with a juicy (insider?) tip on a penny stock that was about to skyrocket in price. This is the Pump side of a Pump and Dump. Someone looking to manipulate (*cough* *cough* defraud) the market can artificially inflate a stock by as much as tenfold with relative ease. They simply have to get a ton of people to buy the hell out of it within a short period of time.

How the hardcore guys did this back in the day:

1. Buy a metric assload (literal translation: whole bunch) of any random penny stock.
2. Rent some temporary office space with a bunch of phone lines and set up a telemarketing operation.
3. All the cohorts would sit around calling residential numbers during business hours in hopes of getting answering machines. If someone answered: “Whoops, wrong number”. If they got a machine, they’d lay down one of several scripted voice mails that carried the same message: stock XYZ is going to explode on [whatever date].

Example:
“Hey Jim, Bobby again. It’s a Go on XYZ the 19th of this month. I just dropped 50k into that puppy. Our friend at the FDA said that their cholesterol pill is going to get the green light for sure. We’re in the know ahead of the company, even. This is going to be huge.”

4. After leaving thousands upon thousands of these fake insider tips on people’s answering machines the stock would jump up in price because of all the people buying it based on the bogus tips. Before the magical day when the stock is supposed to skyrocket, the evil evil bad bad people sell (dump) all of theirs for big profits before the stock levels out to its actual worth.
5. The people who bought the stock based on bogus insider tips are left with sad looks on their faces and are reluctant to report anything to law enforcement. No one likes admitting to being suckered. And, it was “illegal insider info” they were acting on – not something you want to tell police about.

Think I’m bullshitting about this not being rocket science? About seven years back a freaking 15 year old kid got fined over 250k by the Securities and Exchange Commission for such stuff. Even after that spanking from the SEC, Jonathan Lebed was sitting on 500k in profits from two years of shady stock manipulating.

Back to this current Pump and Dump hustle…

Read more…

The not-so-cute image to your left has been spammed all over MySpace via comments for months now. It’s generally posted from legit accounts that have been phished. And, it’s hyperlinked to a php file that prompts a person to download a payload of evilness when clicked. My buddy PaperGhost has dissected this toad three times now. Why three times? Asshats like to change up the payloads of poo they’re spreading from time to time. Zango and all sorts of other craptastic (technical term for “Evil Evil Bad Bad”) stuff has been bundled in this download every time. As an added bonus, it has a neat little thing built into it to phish your MySpace account info so it can spam itself from your account.

Bottom line: When you see it, you should “Run, Forrest! Runnnn!”.

PaperGhost’s latest dissection:
ProfileWatcher: The Saga Continues

Random tidbit:
The Department of Defense started blocking access to a ton of social networking sites and whatnot. So, our boys and girls over in that dreaded sandbox can no longer visit MySpace, YouTube, etc… They claim that this is being done due to bandwidth (money) and network security issues. That’s obviously a big load of BS. Sean from SocialHam.com summed it up pretty well.

Safe guards are important to protect our troops however its pretty clear they are also concerned about stopping the next Abu Grab picture/video leak
~ SocialHam.com

Protect our troops? Yeah, that’s the big one in my eyes. The DoD would have been shunned as assholes if they stated the obvious though… Yes, it’s inevitable that one of our troops would have pulled a retarded Geraldo Rivera move on YouTube or elsewhere.

“Hey Mom, we’re going raid that little village over there tomorrow. Wish me luck!!!1″

I told you so:
Really, I did. From a recent post of mine on MySpace:

Will there still be spam on here?
Yup. You can expect a lot more spam profiles and messages with the whole “You’re Cute!!! My MSN and AIM name is WebCamDoubleDD, hit me up sum time”. So, you can all have more hot sex talk with bots about monkeys.

Read more…

Last night The X-Generation of Smileys messaged me with what I assumed to be total BS / lameness…

Check this out, there’s a profile with a Gucci bag spam comment from Tom.

I’ve seen fake Tom comments, bulletins, blog entries, and forum posts on MySpace a zillion times. The better ones use various CSS / HTML hackery to make his avatar link back to his real profile and everything. So, it’s not uncommon for MySpace users to think that spam is being posted from Tom Anderson’s real account. The guy who sent that message over isn’t an eTard though, so I checked out the profile in question via the blog that first posted the link.

After looking over the source of that page, I can assure you that the comment spam was posted from Tom’s real account.

Read more…

Jim and James over at HotOrNot.com just made some major changes…

Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)

We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!

The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.

After giving myself a two minute self tour, this is what I discovered and was able to do:

The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.

Read more…