MySpace Hosting MySpace Phishing Profiles

The ongoing arms race between phishers and social networking sites, is a great example of how malicious parties continue to be a step ahead of the reactive response of those and many other web properties. The majority of phishing emails usually take advantage of typosquatting, or sub-domaining to the point where the URL is perfectly mimicking the only property's web application structure. There are however, these exceptions adapting to current security practices in place, and abusing them.

The large scale myspace phishing attack that I assessed in November, 2007, was particularly interesting to discuss because of its internal spamming structure - a social networking account that's already been phished is used to disseminate the phishing urls to all of its friends, collecting accounting data and serving malware.

The phishing tactic that I'll assess in this post, demonstrates the adaptability of phishers whose efforts to adapt to MySpace's current security practices in place, have greatly improved their chances for tricking a large number of visitors. How come? They are not using the natural profile.myspace.com.bogusdomain.info as usual, but are actually using authentic MySpace phishing profiles, hosted at MySpace.com.

Key summary points :

- phishers are generating phishing profiles making it look like the visitor hasn't authenticated herself to view a profile, and pushing the fake login form in front of the fake profile
- the phishing profiles are hosted at MySpace.com
- ignoring the profile's original layout, the fake login windows is pushed upon visiting a phishing profile in front of the profile
- from a social engineering perspective, given that the "action" is happening at MySpace.com, from spamming the phishing profile, to more users getting tricked given its not a secondary domain, that's an example of social engineering going beyond the average typosquatting
- upon logging in reasonably thinking the user is at MySpace.com, the accounting data is forwarded to a phishing host located on a free web space provider

Let's demonstrate the technique by assessing a currently active phishing profile - myspace.com/ecslut which you can also see in the screenshot above. Once the accounting data gets submitted to the profile hosted at MySpace.com, it redirects the output to myspace101.freeweb7.com/next.php, where a Google Analytics with id "UA-3234554-2" collects metrics for the campaign, then its forwards to MySpace's main page.

A phishing campaign that's spamming millions of users with myspace101.freeweb7.com wouldn't really last online long enough for someone to fall victim into the scam. But when phishers shift the tactic from phishing pages relying on typo/cybersquatting to phishing profiles and start spamming with myspace.com/phishing_profile, success rate is prone to sky rocket.

Related posts:
Phishing Metamorphosis in 2007 - Trends and Developments
Web Site Defacement Groups Going Phishing
Phishing Tactics Evolving
Phishing Emails Generating Botnet Scaling
Phishers, Spammers, and Malware Authors Clearly Consolidating
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

Segmenting and Localizing Spam Campaigns

One-to-many or one-to-one communication channel? That's the questions from a spammer's perspective. Given that spammers have long embraced basic segmentation in their harvested email databases, enforcing localization in each of their multinational campaigns, thereby increasing the probability for a higher response, was a logical trend to come, one that we're currently witnessing on a large scale. Outsourcing the localization process by using translation services on demand, for anything starting from phishing emails and spam, and going to malware campaigns, is starting to accelerate, due to the fact that these parties now know about the email address than they used to in the past.

A Chinese user will never receive a spam message in German, and exactly the opposite, as spammers are getting more ROI conscious in everything they do, and therefore in the long term, the emphasis on the processing of sending the spam, may in fact shift to higher expectations from bother masters with spammers requiring hosts with clean IP reputations in the very same fashion spammers want email databases of emails that still haven't been spammed - well at least by them.

And just like in any other market out there, the managed spamming appliance providers would inevitably vertically integrate to start offering database filtering and verification of delivery services. With so many malware infected hosts, spamming is getting cheaper, given the increasing number of market participants each of them consciously or subconsciously engaging in permanent penetration pricing to end up undercutting those positioning spamming as a exclusive service. And when the process of sending, and providing huge lists of harvested emails is already a commodity, the competitions is shifting to the quality of the campaign.

The attached screenshot represents a spamming provider's "inventory" of emails per country, and price for a number of already harvested emails, clearly demonstrating that when competition increases even in the underground market, the serious sellers start differentiating their propositions, taking spam in general a step beyond.

Testing Signature-based Antivirus Products Contest

This is both interesting, yet irrelevant and outdated as well :

"The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008. The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses."

What are the reactions of security vendors, AVs in particular? The best remark - "Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks."

The bad guys will learn new tricks from the good guys modifying binaries to prove that anti virus signature scanning isn't working? There's no shortage of creativity and innovation on behalf of malware authors, and in reality,the good guys are supposed to learn from the bad guys in the sense of the techniques, tools and tactics they use to achieve such a high-level degree of now automated polymorphism. Moreover, the only thing the bad guys can learn from the good guys are the techniques the good guys use to make the bad guys' living a pain, in fact obtain the tools and see their malware through the eyes of a good guy.

Moreover, as I've already pointed out in a previous post, undetected malware or malware with the lowest possible detection rate is no longer created, it's being generated thanks to :

"DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle."

Nowadays, even a script kiddies' favorite Remote Administration Tool is empowered with such advanced point'n'click DIY type of features such as anti-sandboxing and anti-reverse engineering, either through the use of built-in such features, or outsourcing the process to someone who's excelling at the process. Undetected malware isn't just coming as a product these days, it's also getting pitched as a managed service on a per obfuscated binary basis.

Thankfully, signature based malware scanning is slowly becoming just one of the many other alternative malware and behaviour detection approaches available within antivirus solutions these days, given the possibilities for artificially messing up the industry's count for malware variants.

Detection Rates for Malware in the Wild

Yet another Early Warning Security Event System has been made available to the public, earlier this month. The Malware Threat Center is currently generating automated tracking reports in the following sections :

- Most Aggressive Malware Attack Source and Filters
- Most Effective Malware-Related Snort Signatures
- Most Prolific BotNet Command and Control Servers and Filters
- Most Observed Malware-Related DNS Names
- Most Effective Antivirus Tools Against New Malware Binaries
- Most Aggressively Spreading Malware Binaries

I was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New Malware Binaries" section, especially its emphasis on malware that's currently in the wild. Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same
positions, whereas the rest of the vendors are in a different rank, although on the 20th they were exposed to 1030 binaries only, and on the 29th to 1759.

So what? In respect to signatures based malware scanning, every vendor has its 15 minutes of fame, however, as I pointed out two years ago :

"Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available."

What has changed? The DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle. Moreover, with malware authors waging tactical warfare on the vendors infrastructure by supplying more malware variants than then can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get more efficient.

Fake Directory Listings Acquiring Traffic to Serve Malware

Malicious parties are known to deliver what the unsuspecting and unaware end user is searching for, by persistently innovating at the infection vector level in order to serve malware or redirect to live exploit URLs in an internal ecosystem that not even a search engine's crawlers would bother crawling. What's the trick in here? Using image files as bites to malware binaries, and acquiring traffic by generating fake directory indexes with hundreds of thousands of popular or segment specific keywords in the filenames, while attempting to trick the impulsive leecher by forcing a direct loading of anything malicious? Creative, at least according to someone who's released such a fake directory listing, and is what looks like planning to come up with an automated approach for doing this.

Inside a non-malicious download.php file :

$file = "sexy.gif"; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-Disposition: attachment; filename=\"".basename($file)."\""); readfile("$file"); ?>

Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are known to have been using technique for enforcing downloads, loading live exploit URls, or plain simple redirection to a place where the malicious magic happens.

A fake directory listing of images, where the images themselves load image files of the icon to make themselves look like images - trying saying this again, and consider this attack tactic as SEO 1.0, where the 2.0 stage has long embraced GUIs and all-in-one anti-doorway detection techniques for blackhat SEO-ers to take advantage of.

Response Rate for an IM Malware Attack

Remember the MSN Spamming Bot in action? Consider this screenshot not just as a real-example of IM spamming in action, but also, pay attention to the response rate with the number of messages sent, and response in the form of new malware infected hosts joining an IRC channel. Keeping it Simple Stupid to directly spam the binary locations is still surprisingly working, taking Stormy Wormy's last several campaigns, but with the recent spamming of live exploit URls and malware using Google ads as redirector, for instance :

- google.com/pagead/iclk?sa=l&ai=dhobOez&num=57486&adurl=http://mpharm.hr/video_233.php
- google.com/pagead/iclk?sa=l&ai=YQdWjxe&num=81899&adurl=http://www.1-pltnicka.sk/lib_vid.php
- google.com/pagead/iclk?sa=l&ai=MKRCVFW&adurl=//bestsslscripts.com/goog/online-casino-gambling.html
- google.com/pagead/iclk?sa=l&ai=Hydrocodone&num=001&adurl=http://hydrocodone.7-site.info

the response rate for the campaign can change in a minute. Go through a related post on "Statistics from a Malware Embedded Attack" taking another perspective into consideration.