<![CDATA[[SecurityRatty] tag: myspace]]>

<![CDATA[[SecurityRatty] tag: myspace]]> http://securityratty.com/tag/myspace Fri, 01 Aug 2008 06:51:19 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Facebook Malware Campaigns Rotating Tactics]]> http://securityratty.com/article/62296c3643a587ae28183112d47c0996 http://securityratty.com/article/62296c3643a587ae28183112d47c0996

Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful malware campaign spreading across social networks. Excluding the publicly available malware modules for spreading across popular social networking sites, using the presumably, already phished accounts for the foundation of the trust factor, the recent malware campaigns spreading across Facebook and Myspace are all about plain simple social engineering and a combination of tactics.

However, in between combining typosquatting and on purposely introducing longer subdomains impersonating a web application's directory structure, there are certain exceptions. Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a particular moment in the past few days used to redirect to client-side exploits served on behalf of a shady affiliate network that's apparently geolocating the campaigns based on where the visitors are coming from.

img228.imageshack .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - (216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that's also responding to p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to previous fraudulent activity.

Moreover, cross-checking this campaign with another Facebook malware campaign enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation redirects to absvdfd87 .com and from there to the already known tracking.profitsource .net/redir.aspx?CID=9725&AFID=28836&DID=44292, and given that absvdfd87.com is parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two campaigns.

Facebook is often advising that users stay away from weird URLs, does this mean ignoring ImageShack and Blogspot altogether? The next malware campaign could be taking advantage of DoubleClick and AdSense redirectors - for starters.

]]> Wed, 27 Aug 2008 06:04:51 +0000 malware campaign successful malware campaign facebook facebook malware campaign campaigns campaign campaigns based trust factor trust Facebook Malware Campaigns Rotating Tactics <![CDATA[Myspace Cracker Steals Firefox Passwords]]> http://securityratty.com/article/1a4072a96ea8dd94eda6fa2169ef914f http://securityratty.com/article/1a4072a96ea8dd94eda6fa2169ef914f

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.

]]> Tue, 26 Aug 2008 14:49:03 +0000 firefox firefox passwords myspace tool myspace accounts firefox password grabber password recovery tool ftp drop set login details Myspace Cracker Steals Firefox Passwords <![CDATA[Researcher Web sites to access bank accounts]]> http://securityratty.com/article/bb74189e58aab3406fc79eacf7487000 http://securityratty.com/article/bb74189e58aab3406fc79eacf7487000 Sun, 24 Aug 2008 20:00:00 +0000 site myspace popular social maternal grandparents recent google variations person terms results Researcher Web sites to access bank accounts <![CDATA[Internal Network Threat Encyclopedia]]> http://securityratty.com/article/6b9c7c33e5616ba64bf9474f4533c161 http://securityratty.com/article/6b9c7c33e5616ba64bf9474f4533c161 The Internal Threat Encyclopedia contains both shady and clearly legitimate software that is subject to abuse. For instance, you'll find Laplink and Timbuktu in there, both straight-up remote control programs. The top 5 internal threats, according to the encyclopedia, includes (today) Google Talk, Skype and MySpace. These applications are well known for sure, but the encyclopedia entries are a handy collection of the problems each can cause. It could be useful if you need to explain why you're setting rules against one of them.]]> Thu, 21 Aug 2008 11:39:04 +0000 encyclopedia internal threat encyclopedia internal threats encyclopedia entries handy collection google talk timbuktu laplink rules Internal Network Threat Encyclopedia <![CDATA[Dont click that link, think first.]]> http://securityratty.com/article/00f591f7bb48f5a7e02e423f7c206f30 http://securityratty.com/article/00f591f7bb48f5a7e02e423f7c206f30 If the links not from someone you trust, dont click it!

clipped from it.toolbox.com

New Social Malware hits the street

As social malware goes, this is a good delivery mechanism for getting people to click on links. Most of us have learned that clicking on links from people who you do not know is generally not a good idea. Spinning up the social aspect of malware delivery, using MySpace and Facebook friends should result in a better penetration of the malware because we are used to clicking on links from our friends.

]]> Wed, 20 Aug 2008 21:15:43 +0000 malware social malware hits malware delivery social malware links click friends facebook friends social aspect Dont click that link, think first. <![CDATA[Facebook Attacked By Viral Social Networking Spam From China]]> http://securityratty.com/article/f5d91dbb95f1d40eb6b47c52ab1b76d9 http://securityratty.com/article/f5d91dbb95f1d40eb6b47c52ab1b76d9 Wed, 20 Aug 2008 06:42:33 +0000 facebook recent facebook facebook attacks websense websense security labs honeyjax system recently attack starts althoughh attacks time Facebook Attacked By Viral Social Networking Spam From China <![CDATA[Marketing Bot Allows Insertion of Custom Facebook Feed Messages]]> http://securityratty.com/article/41ee202ac244db0ab82c0ff056faa4a7 http://securityratty.com/article/41ee202ac244db0ab82c0ff056faa4a7

Click to Enlarge

Effectively, it takes bits and pieces of all the smaller feeds and rolls them into one. However, imagine instead of the above in your feed, you see something like this:

Click to Enlarge

Those are customised messages inserted into your feed - and there's a good chance everyone on your Friends list will see it on their own feed when they login to Facebook.

This would happen because someone has made a Bot for Facebook that allows you to insert your own custom message / image / clickable link into your Facebook feed. I've no idea if this is against the Facebook Terms of Service or not, but I can only imagine the chaos that would ensue if someone purchases this application then decides to use it for nefarious purposes. It's being promoted as a sales / marketing tool, but from a security standpoint it seems potentially disastrous.

If a bad actor buys their own Bot, imagine the Myspace-style spam campaigns that could take place...everything from malicious URLs to obnoxious flashing banners could be the order of the day. At the very least, one would hope the makers of this Bot have some quality control going on with regards Bot owners. More here.

/ Hat-tip to LoLo

]]> Mon, 11 Aug 2008 09:26:48 +0000 feed facebook feed facebook bot facebook news feed facebook terms bot owners friend list myspace-style spam campaigns Marketing Bot Allows Insertion of Custom Facebook Feed Messages <![CDATA[Phishers Backdooring Phishing Pages to Scam One Another]]> http://securityratty.com/article/6ccaae3434fe8c6502ba9a6fc0cfb3e0 http://securityratty.com/article/6ccaae3434fe8c6502ba9a6fc0cfb3e0

There seems to be no such thing as a free phishing page these days, with phishers scamming one another at an alarming rate according to a recently published research entitled "There is No Free Phish:An Analysis of “Free” and Live Phishing Kits".

Cybercriminals attempting to scam other cybercriminals has been happening for years, with old school cases where backdoored malware tools such as crypters and binders are offered for free, or a newly released RAT whose client is in fact infected with a third-party malware. Realizing and definitely not enjoying the fact that the lowered entry barriers into cybercrime are empowering yesterday's script kiddies will malware kits that used to be utilized by a set of people who invested time and money into the process several years ago, this unethical competitive practice is only going to get more common. Backdooring phishing pages is one thing, backdooring entire web malware exploitation kits, next to the possibility to remotely exploit a competitor's command and control server is entirely another :

"Taking a more strategic approach, a cybercriminal wanting to scam another cybercriminal would backdoor a highly expensive web malware exploitation kit, then start distributing it for free, and in fact, there have been numerous cases when such kits have been distributed in such a fraudulent manner. The result is a total outsourcing of the process of coming up with ways to infect hundreds of thousands of users though client side exploits embedded or SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking data and the botnet itself."

What's to come in the long term? Why just backdoor the phishing page, when you can embedd it with a live exploit URL in an attempt to both, infect the cybercriminal about to use and obtain all of the already stolen virtual assets has has already stolen, and also, have a third-party maintain a blended attack campaign without even knowing it.

Related posts:
Phishing Campaign Spreading Across Facebook
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

]]> Thu, 07 Aug 2008 11:01:50 +0000 phishers myspace phishers campaign myspace rock phish campaign free phish free kits attack Phishers Backdooring Phishing Pages to Scam One Another <![CDATA[The Twitter Malware Campaign Wants to Bank With You]]> http://securityratty.com/article/0a86c9e6b40c8995b8c3f84a2d12480a http://securityratty.com/article/0a86c9e6b40c8995b8c3f84a2d12480a

In what appears to be a lone gunman malware campaign -- where the malware spreader even left his email address within the binary - the now down Twitter malware campaign managed to attract only 69 followers before it has shut down, using a trivial approach for launching an XSS worm - Cross-site request forgery (CSRF). More info :

"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video. If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular."

Let's analyze the campaign before it was shut down. The original Twitter account used twitter.com/video_kelly_key basically included a link to player-video-youtube.sytes.net (204.16.252.98) which was using a URL shortening service fly2.ws/NilOMN3 in order to redirect to the banker malware located at freewebtown.com/construimagens/ Play-video-youtube.kelly-key.com. It's detection rate is as follows :

Scanners Result: 14/36 (38.89%)
Trojan-Spy.Win32.Banker.caw
File size: 88064 bytes
MD5...: 25600af502758ca992b9e7fff3739def
SHA1..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2

Twitter isn't an exception to the realistic potential for XSS worms though CSRF that could affect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, namely, Orkut, MySpace (as well as the QuickTime XSS flaw), GaiaOnline, Hi5, and most recently the XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come handy for what's to turn into a major security incident if not taken care of promptly.

Related posts:
XSS The Planet
XSS Vulnerabilities in E-banking Sites
The Current State of Web Application Worms
g0t XSSed?
Web Application Email Harvesting Worm

]]> Tue, 05 Aug 2008 03:14:42 +0000 twitter twitter malware campaign xss xss vulnerabilities original twitter account xss worms xss worm twitter users worm The Twitter Malware Campaign Wants to Bank With You <![CDATA[MySpace And Facebook Users Targeted By New Worms]]> http://securityratty.com/article/4d809174d365be423426ff372787f924 http://securityratty.com/article/4d809174d365be423426ff372787f924 Fri, 01 Aug 2008 06:51:19 +0000 facebook users myspace worms kaspersky lab reports attack myspace net-worm worm zombie computers form botnets MySpace And Facebook Users Targeted By New Worms