Large Scale MySpace Phishing Attack

In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month and continues to be. A Chinese phishing group have come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked.

Key points :

- all of the participating domains are using identical DNS servers, whereas their DNS records are set to change every 3 minutes

- each and every domain is using a different comment spam message, making it easy to assess the potential impact of each of them

- the URLs are not spammed like typical phishing emails, but comment spammed within MySpace by using legitimate accouts, presumably once that have already fallen victim into the campaign, and mostly to remain beneath the radar of security vendors if the URLs were spammed in the usual manner

- all of the URLs are the subdomains are currently active, and the login details get forwarded to a central location 319303.cn/login.php

This how the fake MySpace login looks like on the fake domains/subdomains :

(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm)

This is how the real MySpace login looks like :

(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = "post" id = "LoginForm")

Sample MySpace phishing URLs from this campaign :

profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn

profile.myspace.com.index.fuseaction.id.370913.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn

profile.myspace.com.fuseaction.id.Dx78x00iJe5.982728.cn

profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn

profile.myspace.com.fuseaction.id.0nd8di8xfd.125723.cn

profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn

Ten sample Chinese domains participating in the phishing attack, returning the MySpace spoof at the main index and the subdomains :

378d38.cn

978bg33.cn

370913.cn

107882.cn

103238.cn

978nd03.cn

107882.cn

pcc2ekxz.cn

125723.cn

pckeez.cn

Assessing the comment messages used on ten phishing domains for internal comment spamming at MySpace :

370913.cn - "haha i cant believe we went to high school with this girl"

978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces"

982728.cn - "I cannot believe this freaking whore would put pics like that on her myspace page.. how trashy.."

977y62.cn - "did you see what happened? OMG you gotta see Mike's profile."

125723.cn - "did you see what happened? OMG you gotta see Mike's profile."

pckeez.cn - "can you believe we went to highschool with this chick?"

pcc2ekxz.cn - "can't believe a 18 year old chick would put half-nude pics on myspace. whore alert."

arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her myspace"

125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!"

109820.cn - "sometimes i just cannot believe the pics that people put on their myspaces LMAO!"

The campaign is surprisingly well thought of. If they were spamming the phishing URLs, security vendors would have picked it up immediately and its lifetime would have been much shorter compared to its current one. The phishers aren't sending emails asking people to login to MySpace via profile.myspace.com.random_digits.cn for instance, instead they're spamming inside MySpace by posting comments prompting users to click further using the phrase "haha i cant believe we went to high school with this girl". It gets even more interesting, compared to the common logic of them having to register fake accounts and posting the comments by using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 2007 1:02 PM ; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well from legitimate users' accounts in this case. How huge is this? Over 378,000 results for the campaign under this phrase keeping in mind that people embed their MySpace profiles at their domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com itself. This is for one of the phishing domains only.

Now if that's not enough to disturb you, each and every of the .cn domains are resolving to what looks like U.S based hosts only that will change every 3 minutes. Not necessarily as dynamic as previously discussed fast-flux networks, but these are worth keeping an eye on :

107882.cn

370913.cn

978bg33.cn

Here are some central DNS servers that all the .cn domains use :

ns4.6309a46.com

ns1.52352a0c60a9c29.com

ns3.926817a885d86e1.com

ns2.terimadisirida.net

I'll leave the data mining based on these patterns to you, what's important is that the URLs are still serving spoofed MySpace front pages, with the only downsize that they cannot sucessfully load MySpace's videos, and don't provide any SSL authentication, which I doubt have prevented lots of people from falling victims into it.

Does all the data lead us to conclude that this could be the most "creative phishing campaign of the year"? Let's have it offline first. Continue reading →

The "New Media" Malware Gang

Since Possibility Media's Malware Fiasco, I've been successfully tracking the group behind the malware embedded attack at each and every online publication of Possibility Media. Successfully tracking mostly because of their lack of interest in putting any kind of effort of making them harder to trace back, namely, maintaining a static web presence, but one with diversifying set of malware and exploits used. Possibility Media's main IFRAME used was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of parked domains in standby mode such as :

repairhddtech.com
granddslp.net
prevedltd.net
stepling.net
softoneveryday.com
samsntafox.com
himpax.com
grimpex.org
trakror.org
dpsmob.com
besotrix.net
gotizon.net
besttanya.com
carsent.com
heliosab.info
gipperlox.info
leader-invest.net
fiderfox.info
potec.net

However, the latest IPs and domains related to the group are dispersed on different netblocks and are actively serving malware through exploit URLs :

78.109.16.242/us3/index.php
x-victory.ru/forum/index.php (85.255.114.170)
asechka.cn/traff/out.php (78.109.18.154)
trafika.info/stools/index.php (203.223.159.92)

What's so special about this group? It's the connection with the Russian Business Network. As I've already pointed out, the malware attack behind Possibility Media's was using IPs rented on behalf of RBN customers from their old netblock, here are two such examples of RBN IPs used by this group as well :

81.95.149.236/us3/index.php
81.95.148.162/e202/

In case you also remember, some of this group's URLs were also used as communication vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was behind Bank of India's main IFRAME. Now that's a mutually beneficial malicious ecosystem for both sides. Here are more comments on other ecosystems. Continue reading →

But of Course I'm Infected With Spyware

Remember those old school fake hard drive erasers where a status bar that's basically doing a directory listing is shown, and HDD activity is stimulated so that the end user gets the false feeling of witnessing the process? Fake anti spyware and anti virus software, like the ones courtesy of the now fast-moving RBN, have been using this tactic for a while, and adding an additional layer of social engineering tricks by obtaining the PCs details with simple javascript. The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own a far more deceptive domain name compared to RBN's ones. In fact, even an anti virus vendor could envy them for not picking it up earlier and integrating it in upcoming marketing campaign or service to come. SpywareSoftStop's statements :

"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC without the user's informed consent, is modified each day and solely particularized software can help to detect and remove it. However, a spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. In some infections, the spyware is not even evident; moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Right now your system is going to be scanned and spyware, if any, will be detected."

The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop-support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop-support.com. The popup at online-scan.com that's now returning a 404 error for ldr.exe (downloadfilesldr.com/download/2/ldr.exe) will even appear if you try to close the window while your PC is "being scanned". What's ldr.exe? It's the default output of a DIY malware courtesy of Pinch.

Continue reading →

Lonely Polina's Secret

Just as I've been monitoring lots of spam that's using Geocities redirectors, yesterday Nicholas posted some details on a malware campaign using Geocities pages as redirectors, and Roderick Ordonez acknowledged the same. Original Geocities URLs used : geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geocities.com/GounodNanon5 (down). Original message of the spam campaign :

"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, POLINA"

The fake lonely German student Polina was also accessible from other URLs as well - ThePagesBargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina URL which is forwarding to baby.com in an attempt to cover up the campaign -- you wish. Internal pages within the IP are still accessible - 58.65.238.36/index2_files/index3.htm; 58.65.238.36/index2_files/index.htm, and so is the malware itself - 58.65.238.36/iPIX-install.exe.

Malware campaigners are not just setting objectives and achieving them, they're also evaluating the results and drawing conclusions on how to improve the next campaign. Back in January, 2006, I emphasized on the emerging trend of localization in respect to malware, take for instance the release of a trojan in an open source form so that hacking groups from different countries could localize it by translating to their native language and making it even more easy to use, as well as the localization of MPack and IcePack malware kits to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and as we've seen the ongoing consolidation of malware authors and spammers serves well to both sides, spammers will on one hand segment all the German and Dutch emails, and the malware authors will mass mail using localized message templates. Great social engineering abusing a common stereotype that for instance German users were definitely flooded with English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user who's receiving a phishing email from the Royal Bank of Scotland - it's obvious both of these are easy to detect. Which is what localization is all about, the malware and spam speaks your local language. One downsize of this campaign is that Polina doesn't really look like a lonely German student, in fact she's a model and these are some of her portfolio shots.

Let's discuss how are the malware campaigners coming up with these Geocities accounts at the first place. Are the people behind the campaign manually registering them, outsourcing the registration process to someone else, or directly breaking the CAPTCHA? Could be even worse - they may be buying the already registered Geocities accounts from another group that's specializes in registering these, a group which like a previously covered concept of Proprietary Malware Tools is earning revenues based on higher profit margins given they don't distribute the product, but provide the service thereby keeping the automatic registration process know-how to themselves. Once the authentication details are known, the process of anything starting from blackhat SEO, direct spamming, malware hosting, and embedding such scripts, even IFRAMEs in a fully automated fashion.

Meanwhile, what are the chances there's another scammy ecosystem on the same netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C&C, urolicali.com.cn spammers, westernunion.reg-login.com a phishing url. Continue reading →

First Person Shooter Anti-Malware Game

Just when you think you've seen everything "evil marketers" can come up to both, consciously and subconsciously influence your purchasing behaviour and improve the favorability scale towards a company - you can still get surprised. After a decent example of the DIY marketing concept, Microsoft's perception of security as a "threat from outer space", an example of rebranding a security vendor, the Invible Burglar game, here comes another good example of new media marketering practice - while some companies seek to embed their logos into popular games, others are coming up with ones on their own. Symantec's Endpoint Protection Game - a first person shooter where the typically mutated creatures are replaces with viruses, spyware and rootkits is what I'm blogging about :

"Your task is to simply save your global network from viruses, worms, and a hideous host of online threats that are poised to take your IT infrastructure down."

Eye catching trailer as well. Such marketing campaigns can have a huge educational potential if they're, for instance, customized for a specific security awareness program module.

Continue reading →

Cyber Jihadist Blogs Switching Locations Again

Having had their blogs removed from Wordpress in a coordinated shutdown operation courtesy of the wisdom of the anti cyber jihadist crowd, The Ignored Puzzle Pieces of Knowledge and The Caravan of Martyrs have switched location to these URLs - inshallahshaheed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ignoredknowledge.blogspot.com. Apparently there's an ongoing migration of cyber jihadist blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased in removing such positioned as "free speech" communities given it's hosting provider is islamicnetwork.com. Should such propaganda be tolerated? This is where the different mandates of anti cyber jihadist organizations across the world contradict with each other. Some have a mandate to shut down such blogs and sites as soon as they come across such, others have a mandate to monitor and analyze these to keep in pace with emerging threats in the form of real-time intelligence, and in the near future other participants will have a mandate to infect such communities with malware ultimately targeting the cyber jihadists behind them or the visitors themselves.

The bottom line - the propaganda in the form of step-by-step video of an attack in question is a direct violation of their operational security (OPSEC) thereby providing the world's intelligence community with raw data on their warfare tactics. The propaganda's trade off is similar to that of the Dark Cyber Jihadist Web, while you may want to reach as many future recruits and "converts" as possible, you increase the chance of an intelligence analyst coming across your community, compared to closing it down to sorted and trustworthy individuals and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, going for mass marketing with full speed, and in fact maintain a modest repository of videos at inshallahshaheed.vodpod.com. By the way, what's the difference between wishful thinking and thought crime? It's a threat that proves there's a positive ROI of your actions.

Related posts :
GIMF Switching Blogs
GIMF Now Permanently Shut Down
GIMF - "We Will Remain" Continue reading →