MySpace Scams

The Mega-D botnet has overtaken Storm Worm as the world’s biggest purveyor of spam, according to Marshal. This news highlights the lax security on some social applications and networking sites - something you can help us defeat!

The Mega-D botnet has surpassed the infamous Storm Worm as the world’s largest source of spam, according to IT security company Marshal. Mega-D, which promotes male sexual enhancement pills such as Herbal King and VPXL, uses emails to trick people into installing the spam product. It now accounts for 32 per cent of all spam, Secure Computing reports.

It also uses news headlines to get people to open the spam, even using the recent death of Australian actor Heath Ledger as a hook. This tactic is similar to that used by the Storm Worm. “[Mega-D] probably started about four months ago and it’s been steadily increasing since then,” said Marshal’s Bradley Anstis.

“It is possible that the individuals behind the Storm botnet are responsible for one or more of these other botnets.” He added that Microsoft had done a good job with its malicious software removal tool that has helped to tackle the Storm Worm. Given the widespread nature of Microsoft’s software and their increasing acquisitions on the internet, it’s nice to see they’ve upped their game and their anti-malware is effective.

Meanwhile, it emerged last month that spam purveyor Sanford Wallace had made $555,000 through a scam on MySpace that pushed users through to porn and gambling sites controlled by Wallace.

While we realise Microsoft aren’t everyone’s favourite firm, compared to the likes of Facebook, Bebo and MySpace, at least they take their security seriously. For the benefit of all the online community, it’s totally worth fighting for better security on third party social applications and social networking sites or going white hat to help application developers to fix loopholes.

If you want to continue to enjoy the internet safe in the knowledge that your privacy isn’t being violated then we really need to encourage companies like Microsoft in this regard and rally round with initiatives like Stopbadware.org.

So how do we fight this together?

We’re just asking you to blog, talk, post on forums, write emails, ‘soft spam’ Facebook by getting all of your friends to set the same status – anything to raise awareness of the lack of privacy present on some social networks and to make it secure. In the words of the great Jerry Springer: “Take care of yourself, and each other.”

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections.

Screen snapshot of ‘timberlinebombinfo’ MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.

While there’s been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn’t said much about it since. The two other cases in which federal investigators were known to have used spyware–the Scarfo and Forrester cases–involved agents actually sneaking into offices to implant key loggers.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

“The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” Sanders wrote. A reference to the operating system’s registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was “previously connected to.”

News.com has posted Sanders’ affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.

There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail.

But bloggers at the time dismissed it–in hindsight, perhaps erroneously–as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.

Finding out who’s behind a MySpace account
An interesting twist in the current case is that the county sheriff’s office learned about the MySpace profile–timberlinebombinfo–when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff’s office reported that 33 students received a request to post the link to “timberlinebombinfo” on their own MySpace pages.

In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: “There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am.”

The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.

That’s when the FBI decided to roll out the heavy artillery: CIPAV. “I have concluded that using a CIPAV on the target MySpace ‘Timberlinebombinfo’ account may assist the FBI to determine the identities of the individual(s) using the activating computer,” Sanders’ affidavit says.

CIPAV was going to be installed “through an electronic messaging program from an account controlled by the FBI,” which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer’s Internet Protocol address, Ethernet MAC address, “other variables, and certain registry-type information.” And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There’s no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers — which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI’s perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order. The verbatim results of our survey are here.

Written by: Declan McCullagh

We have come to find out that this profile watcher is still on the loose. Do not use any profile watchers or trackers. All they will do is steal you MySpace login information and put a virus or spyware onto your computer. The safest bet is to not add untrusted code to your myspace page. You never know who will try to abuse it.

If you have already downloaded and installed the Profile Watcher, you need to remove it immediately and then change your myspace password.

If you are having trouble removing it then try using a spyware solution or antivirus to run a scan for the remaining program.

Technical Information:
1. COVERT ANALYSIS OF: Profile Watcher

* File Names Used: 8
* Paths Used: 6
* Common File Name: MUBILY08.EXE
* Common Path: %CACHE%\CONTENT.IE5\????????\
* Vendor Information: ZeroPoint Search Solutions
* MUBILY08.EXE may use 8 or more path and file names, these are the most common:
* 1 :%DOCUMENTS%\PORN\PROFILEWATCHER_SETUP.EXE
* 2 :%DOCUMENTS%\PROFILEWATCHER_SETUP.EXE
* 3 :%DOCUMENTS%\PROGRAM DOWNLOADS\PROFILEWATCHER_SETUP.EXE
* 4 :%TEMP%\18ZO19OF.EXE
* 5 :%TEMP%\MUBILY08.EXE
* 6 :%TEMP%\QF0XP27P.EXE
* 7 :%TEMP%\YEGN7HV1.EXE
* 8 :?:\TEMP\6GBWBF4O.EXE
* File Name Structure: Common
* File and Path Structure: Suspicious, code execution from unusual location

2. RELATIONSHIP ANALYSIS OF: Profile Watcher

* No relationship details available for this object

3. ACTIVITY ANALYSIS OF: Profile Watcher

* The following behaviors have been observed for this object:
* Runs temporary programs.
* Runs other programs.

I’m sure most of you have seen this either on comments or inside of bulletins. Either way, this is SPAM. When you click on it, you will be installing spyware onto your computer. MySpace Scams would suggest removing it immediately if you have already installed it.

Description of Profile Watcher:
Dubious application that pertains to monitor myspace accounts. Closely affiliated with Zango, the application has direct links to Zango videos under the “Cool Videos, Games, & More” tab. Any application that requires you to enter private credentials, as this one does, warrants a healthy dose of cautious scepticism.

Vendor
zpsearch.com

To remove:
Make sure that you have a spam blocker installed.

TIS the season to receive Christmas cards and a growing number of them, conveniently, will come via the internet.

There’s only one problem: some of the emails promising an e-greeting from a friend or family member may instead be from a scam artist intent on obtaining your bank or credit card information.

Stu Elefant, senior product manager for anti-virus company McAfee, says the danger is at this time of year people are more likely to click on these greetings in their email inbox. “There is more cybercrime because peoples’ defences are down. They are in a more trusting mood, thanks to the holidays, and they are looking online for bargains,” he says.

Increasingly clever cybercrooks realise more people than ever will shop online this year, as well as seeking to save postage – and time – by emailing Christmas cards.

Christmas sales in the US are up 23 per cent, to about $10.63 billion, compared with a year ago, says Gian Fulgoni of ComScore Networks, which tracks web activity. Those figures are from November 1 to 24.

Christmas cybershopping will steadily increase over the next few weeks. But as more people turn to the internet for at least some of their holiday purchases – or simply for comparison shopping – more crooks are tracking their movements.

The average loss per phishing scam grew from $328 in 2005 to $1590 in 2006, according to a November report from research firm Gartner. Losses stemming from such attacks reached more than $3.5 billion this year, Gartner found.

In Australia, a scam was uncovered in late October by Exploit Prevention Labs that was perpetrated through e-greeting cards. According to a TechNewsWorld story, accounts at nearly every Australian bank were affected when a major cybercrime group used fake Yahoo greeting cards to infect computers with malicious software that tracked keystrokes on PCs. This so-called keylogger software was used to steal credit card numbers, bank account usernames and passwords.

Numerous computer users have noted a marked increase in e-card-based spam email lately. The subject line typically reads, “You’ve received a greeting from a family member” or “You’ve received an animated postcard”.

The text inside these phishing email messages asks people to “click here” to see the card. Phishing scams are an attempt to trick people into revealing personal information. If they click on these links, they could unwittingly download software used to separate users from their hard-earned cash.

Elefant warns people to only open messages from people they know. If in doubt, he warns, don’t open it.

Crooks are exploiting what security professionals like to call “social engineering”, Elefant says. Because humans are social beings, they’re more likely to open an email they think is from a friend or family member than something unfamiliar. “Social engineering is more prevalent this time of year because people want to click on an internet greeting card or get a better deal at a store online,” he says.

People also are helping the crooks more than before. The growth of social networking sites like Facebook, MySpace and even YouTube are helping cybercriminals target computer users. A crook may send a message to a user and write, “Hey, I saw your video at YouTube about skateboarding. If you want a new skateboard, come check out the deals at my site.”

Another reason for the online crime wave, according to the Harris survey, is that few people adequately secure their computers. The survey found that 74 per cent of people do not install a hardware firewall and 53 per cent don’t use a software firewall. Only 22 per cent had installed a proper suite of security software.

Subject: Bling Bling!!

Body: I have good news. I tried out this website and it is definantly worth your time. You get 15 free ringtones! That’s right, FREE!!! Give it a try, I don’t know how long they will be offering this.GET THEM NOW!

Appears that the link goes to a fake profile that redirects you to a an image hosted at http://stupidtoad.com/free/

Here is the spammers information provided by godaddy.com

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: STUPIDTOAD.COM
Created on: 08-Apr-06
Expires on: 09-Apr-07
Last Updated on: 13-Aug-06

Administrative Contact:
Jenson, Allen a_jenson@hotmail.com
3679 Sand Creek Rd
Farmington, Missouri 63640
United States
(573) 747-9498

If you find your friends posting this, tell them to change their password on their profile. It was most likely hijacked. These posts may also be hosted at other sites. If you see one, let us know and we will get the word out.

The above screenshot is the latest in MySpace spam bulletins. These have been appearing more and more. Usually the link you click on is a redirector link to go to an affiliate website. This however is not the worst part about the bulletin post. All of these bulletins are not being posted by your MySpace friends. They are being posted by someone who hijacked their profile.

If you found that you or some of your friends have posted this bulletin, then change your password immediately or message your friends and tell them to change their password immediately as well.

Most likley they were somehow redirected to a MySpace phishing site setup to steal their password. Never enter your password on sites other then MySpace. Some site may be setup to look like MySpace so remember to always check for the MySpace url in the address bar.

Security watchers have discovered a phishing attack targeting users of MySpace, the social networking website. The attack comes in the form of a hyperlink sent to potential marks in an AOL instant messaging message.

Users who follow the link are taken to a bogus website that spoofs the MySpace.com login page. The ruse is designed to fool users into handing over account information to crooks. Surfers duped into handing over this information are subsequently forwarded to the real MySpace.com website.

According to net security firm WebSense, the fraudulent site also sets a “cookie on the victim’s computer, which prevents the phishing attack from being displayed on any subsequent visits”.

The MySpace phishing email is another example of how email fraudsters are widening their sights beyond traditional targets, such as eBay and high street banks, alongside moves to develop more sophisticated scams.