Tuesday, November 20, 2007

Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :
(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :
(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :


Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :


Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"
978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"
982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."
977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."
125723.cn - "did you see what happened? OMG you gotta see Mike's profile."
pckeez.cn - "can you believe we went to highschool with this chick?"
pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."
arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"
125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"
109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :


Here are some central DNS servers that all the .cn domains use :


I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first.