The Whitehouse.org Serving Malware

The Whitehouse.org a parody site of the original Whitehouse.gov is serving malware. From TrendMicro's blog :

"According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP ). Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned."

The malicious domain embedded within the site ad.ox88.info/13.htm (67.15.212.150) is using Mal/ObfJS-AP/Exploit:HTML/AdoStream to serve the malware, whereas the domain itself is using DNS servers known to provide service to malicious domains from previous malware embedded attacks that I've been assessing. Continue reading →

Pro-Serbian Hacktivists Attacking Albanian Web Sites

The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

Go through the complete post - Pro-Serbian hacktivists attacking albanian web sites.

Related posts:

Hacktivism Tensions

Hacktivism Tensions - Israel vs Palestine Cyberwars

Mass Defacement by Turkish Hacktivists

Overperforming Turkish Hacktivists

Continue reading →

Fake PestPatrol Security Software

Continuing the rogue security software series I've just stumbled upon a fake PestPatrol site - pest-patrol.com (85.255.121.181) hosted at the the RBN connected Ukrtelegroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), just like the majority of sites assessed in previous posts.

Where's the malware at pest-patrol.com? In one of these anecdotal cases, the way the people behind these rogue sites use the same template over and over again, and consequently forget to change the rogue software's name, in this case, not only is pest-patrol.com's mail server responding to antispycheck.com, but they've also uploaded a broken template. Continue reading →

All You Need is Storm Worm's Love

The Storm Worm malware launched yet another spam campaign promoting links to malware serving hosts, in between a SQL injection related to Storm Worm.

These are Storm Worm's latest domains where the infected hosts try to phone back :

cadeaux-avenue.cn (active)
polkerdesign.cn (active)
tellicolakerealty.cn (active and SQL injected at vulnerable sites)
Administrative Email for the three emails : glinson156 @ yahoo.com

Related DNS servers for the latest campaign :

ns.orthelike.com
ns2.orthelike.com
ns3.orthelike.com
ns4.orthelike.com
ns.likenewvideos.com
ns2.likenewvideos.com
ns3.likenewvideos.com
ns4.likenewvideos.com

Storm Worm related domains which are now down :

centerprop.cn
apartment-mall.cn
stateandfed.cn
phillipsdminc.cn
apartment-mall.cn
biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
ibank-halifax.com
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.

Related posts:
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game Continue reading →

Fast-Fluxing SQL Injection Attacks

The botnet masters behind Asprox are converging tactics already, by fast-fluxing the SQL injected domains. Related URLs for this campaign :

banner82.com
dll64.com
aspx88.com
bank11.net
cookie68.com
exportpe.net

Read the complete assessment - Fast-Fluxing SQL Injection Attacks Executed from the Asprox Botnet, and go through previous posts related to the botnet as well - Phishing Emails Generating Botnet Scaling; Inside a Botnet's Phishing Activities; Fake Yahoo Greetings Malware Campaign Circulating. Continue reading →

The Small Pack Web Malware Exploitation Kit

Yet another proprietary web malware exploitation kit has been released at the beginning of this month, further indicating that the efficient supply of such kits is proportional to their simplistic nature. The only differentiation factor in the Small Pack is perhaps the inclusion of all known Opera exploits up to version 9.20, however, the rest of the features are the natural ones included in the majority of already known exploitation kits :

- IE exploits included - Quick TIme Modified, PNG, MDAC, DX Media
- Firefox exploits included - Quick Time, PNG, EMBED
- Opera - all exploits up to version 9.20
- RC4 encryption
- lifetime updates
- Geolocation
- opportunity to request additional functions

Converging infection and distribution vectors, evasion and survivability, metrics and command and control in a single all-in-one web malware exploitation kits is, however, is definitely in the works considering the developments introduced in the rest of the kits currently available. For instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns are injecting the malicious domains in its original form, certain attacks are starting to inject obfuscated URLs making it harder to assess the impact of the campaign using open source intelligence techniques.

The bottom line, as long as webmasters continue participating in the so called "traffic exchange" revenue models, knowingly or unknowingly embedding links that would later on ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory that could be supplied is the direct result of an ongoing SQL injection attack, or malware embedded through other means, with the traffic brokers directly undermining webmaster's unethical inclusion of exploits within their domains portfolio.

One thing's for sure - web malware exploitation kits are not just getting localized, they're also being cloned.

Related posts:
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action Continue reading →

Redmond Magazine SQL Injected by Chinese Hacktivists

Four Redmond related web properties appear to have been SQL injected by Chinese hacktivists, namely, Redmond - The Independent Voice of the Microsoft IT Community formerly known as Microsoft Certified Professional Magazine, the Redmond Developer News as well as the Redmond Channel Partner Online.

The lone hacktivist also left a message at the malicious domain (wowyeye.cn), which reads :

“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”

Go through related posts on the recent Chinese Anti-CNN campaign. Continue reading →

Got Your XPShield up and Running?

Don't. Continuing previous posts with three different portfolios of fake security software, and Zlob malware variants posing as video codecs, the rogue security application XP Shield is the latest addition to the never ending list, with the following domains participating in the campaign :

xp-shield.com
xpshield.com
xpantiviruspro.com
xpantivirussecurity.com
xponlinescanner.com
xpprotectionsoftware.com
xpantivirussite.com
antivirus2008x.com
securityscannersite.com
antivirus-xp.awardspace.us
xpantivirus.awardspace.co.uk

The detection rates for the time being :

XPShieldSetup.exe
Scanners result : 1/32 (3.13%)
File size: 517632 bytes
MD5...: 99c7271ac88edc56e1d89c9f738f889c
SHA1..: 3347564017d289ffd116f70faa712e05883358f4

XPantivirus2008_v880381.exe
Scanners result : 4/32 (12.5%)
File size: 65024 bytes
MD5...: ef9024963b1d08653dcc8d8b0d992998
SHA1..: 436bf47403e0840d423765cf35cf9dea76d289a5

How would the end user reach these domains from a malicious attacker's perspective at the first place? Once being redirected to them through an already SQL injected or iFrame embedded legitimate site, with evidence of the practice seen in the majority of massive iFrame, SEO poisoning and SQL injections campaigns from the last couple of months. Continue reading →

DIY Phishing Kits Introducing New Features

Factual evidence on the emergence of individual phishing kits is starting to appear, with two more available in the wild. So what? For the time being, the lack of communication between the authors of these, or perhaps even the need to is slowing down the adoption of core features that would standardize and create a dynamic all in one phishing campaign C&C.

In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :

"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."

Read the entire post - DIY phishing kits introducing new features.

Continue reading →

A Botnet of U.S Military Hosts

Building DDoS bandwidth capacity for offensive cyber warfare operations may seem rational, but this departamental cyber warfare approach would never manage to match the capabilities of the self-mobilizing hacktivist crowd :

"Where’s the enemy, and where’s the enemy’s communications and network infrastructure at the first place? It’s both nowhere, and everywhere, and you cannot DDoS “everywhere”, and even if you waste a decade building up the capability to DDoS everywhere, your adaptive enemy will undermine the resources, time and money you’ve put into the process by avoiding outside-to-inside attacks, and DDoS your infrastructure from inside-to-inside."

Here are related comments on how unnecessary the whole idea is at the first place. Continue reading →

The FirePack Exploitation Kit Localized to Chinese

The process of localizing open source malware, as well as publicly obtainable web malware explotation kits is continuing to receive the attention of malicious attackers, the Chinese underground in particular. Starting from MPack and IcePack's original localizations to Chinese, the FirePack exploitation kit is the latest one to have been recently localized to Chinese, and the trend is only starting to emerge.

What is prompting Chinese users to translate these kits to their native language anyway? Is it the kit's popularity, success rates, lack of alternatives, or capability matching with the rest of the internaltional underground community? I'd go for the last point. Continue reading →

Major Career Web Sites Hit by Spammers Attack

What is the future of spamming next to managed spamming appliances, like the ones already offered for use on demand? It’s targeted spamming going beyond the segmentation of the already harvested emails on per country basis, and including other variables such as city of residence, employment history, education, spoken languages, to ultimately set up the perfect foundation for targeted spamming and malware campaigns.

Go through the complete assessment of the tool used for extracting personal data from major career sites as well. Continue reading →

Custom DDoS Attacks Within Popular Malware Diversifying

One of the many Chinese script kiddies' favorite malware tools has been recently updated with several other DDoS attack capabilities built within, as well as with a nasty bandwidth allocation and measurement option introduced within. In case you remember, this was the very same malware tool I used as an example of how open source malware is prone to extend its lifecycle, and enjoy unique functionalities added on behalf of third-party contributors to the open source project.

The ongoing development of the tool showcases several important key points, namely, how a market share leader's products in a certain region, Korea in this case, often receive the attention of malware authors embedding product-specific DoS attacks within, and also, the fact that the average script kiddies are continuing getting empowered with access to DDoS tools going beyond the average HTTP request flooders and ICMP flooding attacks. Furthermore, realizing the PSYOPs effect that could be created out of the popularity of this DIY malware, a specific Anti CNN version was released during the Anti CNN attack campaigns, and as you can also see, ABC.com is hard coded as an example of a site to be attacked.

From an unrestricted warfare perspective, what is the difference between someone who has on purposely infected themselves with malware to appear as an infected hosts in this malware's C&C, and when traced back as a participant in the DDoS attacks simply states she's been infected with malware, next to those infected hosts who were unknowingly participating in the DDoS attacks? There wouldn't be any. Continue reading →

Stealing Sensitive Databases Online - the SQL Style

In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market niches and generating modest but noticeable revenue streams, have their E-shops vulnerable and exploitable to web application vulnerabilities, with their SQL databases available for extraction in an unencrypted form.

In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.

The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.

The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host. Continue reading →

Skype Phishing Pages Serving Exploits and Malware

"Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.

Scanners result : Result: 3/31 (9.68%)
VBS/Small.W.1; Exploit-MS06-014
File size: 13569 bytes
MD5...: 4d6a559adf0602f7fd58b884e00894dc
SHA1..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2
SHA256: 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.

Continue reading →

A Chinese DIY Multi-Feature Malware

What is the current state of the Chinese IT Underground? Are its participants copycats who just localize successful malware kits, and port open source malware to web applications in between adding more features within? For the past several years, and more recently with the anti CNN attacking campaigns courtesy of Chinese hacktivists and the average Internet users, the Chinese IT Underground has demonstrated its self-mobilization capabilities and mindset, which when combined with basic principles of unrestricted warfare has the potential to outpace any other country's current cyber warfare capabilities - like it is for the time being from a realistic perspective.

In people's information warfare self-mobilization happens consciously, and the anti CNN campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, but Internet bandwidth empowered Chinese user can consciously become a part of a PuppetNet. And while it may also seem logical that the attacking crowds would already be using a well known set of DoS tools, the most recent case demonstrates their capabilities to code and release such DoS tools on demand. For instance, excluding a popular in China DIY malware with custom DDoS capabilities, the rest of the tools were released for this particular campaign.

Furthermore, in between the average password stealers, and DIY malware droppers, there are releases going beyond the average tools, which demonstrate a certain degree of creativity - like this one.

Key features :
- the GUI C&C's objective is to make it easier to control a large number of infected hosts with an interesting option to measure the bandwidth in order to properly allocate it for DDoS attacks
- has a built-in dropping capability for backdooring the already infected hosts through a web shell
- has a built-in dropping capability of several exploits onto the infected hosts in order to use the infected hosts as infection vectors, a malicious infrastructure on demand
- intranet and Internet port scanning

Scanners result : 13/31 (41.94%)
Trojan.Flystudio.AI
File size: 660659 bytes
MD5...: d3bfb06d992b1274a69a479348f39c60
SHA1..: bc474a8bea0b4a2a4ad446abf6e3b978e1fa79c8

Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be used as infection vectors to increase the botnet's population is a new approach applied by the Chinese underground. In comparrison, following an underground's lifecycle, the Chinese one is still more features-centered compared to the Russian one for instance, where once features become a commodity, more emphasis is put into quality assurance and extending the lifecycle of the malware by ensuring it remains undetected for as long as possible - the product concept vs the rootkit stage. Continue reading →

Blackhat SEO Campaign at The Millennium Challenge Corporation

Among the very latest victims of a successful blackhat SEO campaign that has managed to inject and locally host 1,370 pharmaceutical pages, is the Millennium Challenge Corporation (mcc.gov) - a United States Government corporation designed to work with some of the poorest countries in the world.

The injected pages are loading remote images from what looks like a secondary compromised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. Compared to previous blackhat SEO campaigns that I've assessed in the past taking advantage of redirection only, the layout of the embedded pages in this one is sticking the remotely loading images at the top of the page, and placing the original at the bottom.

The campaign's main URl is ttv-bit.nl/rr/c.php where a redirector is forwarding to canadiandiscountsmeds.com, and these are some of the remotely loading images ttv-bit.nl/rr/s.JPG; ttv-bit.nl/rr/l.JPG; ttv-bit.nl/rr/c.JPG; ttv-bit.nl/rr/v.JPG

Moreover, as in the recent massive SEO poisoning attacks, the referrer is checked, and given that the campaign URL is dedicated to mcc.gov only, only mcc.gov referrers are directed to the spam pages. These blackhat SEO incidents targeting sites with high page ranks, are either the result of the automated process of searching for vulnerable such high page rank-ed sites, or direct abuse of purchased access to the already compromised hosts via web shells or web backdoors.

Related posts:
Massive IFRAME SEO Poisoning Attack Continuing
Massive Blackhat SEO Targeting Blogspot
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Compromised Sites Serving Malware and Spam Continue reading →

Harvesting YouTube Usernames for Spamming

With a recently distributed database of several thousand YouTube user names, spammers continue trying to demonstrate their interest in establishing as many contact points with potential receipts of their message, or even malware given the harvested user names database ends up in someone else's hands.

Building such "hitlists" of end points to be spammed, or served malware, is setting up the foundations for the success of popular tools used for spamming video and social networking sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the message. Moreover, these developments seem to indicate an emerging trend of building databases that would later one be efficiently abused, starting from the Thousands of IM Screen Names in the Wild uncovered in October, 2007, and going to the spamming of Skype users.

Direct applicability for spamming and malware campaigns, or a bargain for finalizing a deal, databases of any kind are prone to be abused in principle, and it's malicious parties in general I'm refering to in this case. Continue reading →

Ethical Phishing to Evaluate Phishing Awareness

What is the most efficient and cost-effective way of both, measuring your employees awareness of phishing threats, and building awareness of the threat simultaneously? By sending them ethical phishing emails to see which department based on which social engineering campaign is more susceptible to phishing attacks, at least that's what PhishMe.com is all about :

"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Phish your employees before hackers do!"

Once watching the demo online, you'll get the feeling that it's actually a real phisher's web interface to spamming out phishing emails, so I guess the bad guys can in fact learn from the good guys standardizing approach and metrics mentality applied.

For the time being, Rock Phish represents the most efficiency centered phishing approach, with a single IP hosting numerous domains, each of those hosting over ten different phishing campaigns on average each of these with a dedicated cybersquatted subdomain. However, with the ongoing commoditization of phishing pages, the localization and segmentation of phishing campaigns, the next logical development would be the public release of a point'n' click web interface for managing real phishing campaigns.

Or perhaps a public leak, given that someone out there might have already came up with such an interface, without the sexy layout? And by the time there hasn't been a release or a leak, spamming tools would continue getting adapted for phishing purposes, and log parsers would be a phisher's best friend in respect to evaluating the success rate of a phishing campaign. Continue reading →

MySpace Hosting MySpace Phishing Profiles

The ongoing arms race between phishers and social networking sites, is a great example of how malicious parties continue to be a step ahead of the reactive response of those and many other web properties. The majority of phishing emails usually take advantage of typosquatting, or sub-domaining to the point where the URL is perfectly mimicking the only property's web application structure. There are however, these exceptions adapting to current security practices in place, and abusing them.

The large scale myspace phishing attack that I assessed in November, 2007, was particularly interesting to discuss because of its internal spamming structure - a social networking account that's already been phished is used to disseminate the phishing urls to all of its friends, collecting accounting data and serving malware.

The phishing tactic that I'll assess in this post, demonstrates the adaptability of phishers whose efforts to adapt to MySpace's current security practices in place, have greatly improved their chances for tricking a large number of visitors. How come? They are not using the natural profile.myspace.com.bogusdomain.info as usual, but are actually using authentic MySpace phishing profiles, hosted at MySpace.com.

Key summary points :

- phishers are generating phishing profiles making it look like the visitor hasn't authenticated herself to view a profile, and pushing the fake login form in front of the fake profile
- the phishing profiles are hosted at MySpace.com
- ignoring the profile's original layout, the fake login windows is pushed upon visiting a phishing profile in front of the profile
- from a social engineering perspective, given that the "action" is happening at MySpace.com, from spamming the phishing profile, to more users getting tricked given its not a secondary domain, that's an example of social engineering going beyond the average typosquatting
- upon logging in reasonably thinking the user is at MySpace.com, the accounting data is forwarded to a phishing host located on a free web space provider

Let's demonstrate the technique by assessing a currently active phishing profile - myspace.com/ecslut which you can also see in the screenshot above. Once the accounting data gets submitted to the profile hosted at MySpace.com, it redirects the output to myspace101.freeweb7.com/next.php, where a Google Analytics with id "UA-3234554-2" collects metrics for the campaign, then its forwards to MySpace's main page.

A phishing campaign that's spamming millions of users with myspace101.freeweb7.com wouldn't really last online long enough for someone to fall victim into the scam. But when phishers shift the tactic from phishing pages relying on typo/cybersquatting to phishing profiles and start spamming with myspace.com/phishing_profile, success rate is prone to sky rocket.

Related posts:
Phishing Metamorphosis in 2007 - Trends and Developments
Web Site Defacement Groups Going Phishing
Phishing Tactics Evolving
Phishing Emails Generating Botnet Scaling
Phishers, Spammers, and Malware Authors Clearly Consolidating
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing
Continue reading →