« Myspace spam and obfuscation
Opportunistic placement of layout generator link »

Anatomy of a hacked myspace page

I’ve been talking to a guy who kept getting his password stolen. I thought I’d break down what happened to him.

I noticed his profile had sent out an excessive number of bulletins, so I went to his profile to ask him to remove them. And when I tried to click on “send message”, nothing happened. Hmmm, looking at the bottom of the browser window - under my mouse pointer was ezoff4.net. I checked it, and it redirects (302) to logintonyspaices.com/high.

Image to big to fit into blog, click here to see it.
That link is under the whole section with his photos and the panel with contact options. And under the “home” link at the top. But if you try to click on one of the links to the right of “home”, you get another link. And this time it’s a myspace link, with a standard (URL exploit) redirect at the end, to:

a51271a26.com

And that site has a (302) redirect to a long URL. It’s got all the myspace junk you expect, except there are no / until the very end, and at the very end you again find a51271a26.com.

That one would probably fool quite a few less savvy surfers (which means most myspace users, apparently).

The link is actually under an image covering the Myspace links.

There’s even one more redirect hidden somewhere (haven’t found the location of the link yet): profile121.com. Same procedure as the really long myspace lookalike URL.

All these bogus links are under this image, with size set to extra large: x.myspace.com/images/clear.gif

Here’s the code the bad guys inserted:

fakemyspace2

More on hacked myspage passwords here:

http://spamhuntress.com/2007/03/17/how-your-myspace-got-hacked/

This entry was posted on Friday, March 23rd, 2007 at 6:29 am and is filed under Social networking spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

16 Responses to “Anatomy of a hacked myspace page”

  1. Forseti Says:
    March 23rd, 2007 at 10:59 pm

    This scheme is discussed in somewhat greater detail here: http://blog.spamtrackers.eu/post/2007/03/19/MySpace-Phishing-Schemes

    Indeed, this is a very common MySpace phishing scheme that is being seen increasingly often.

  2. i hate spam Says:
    March 24th, 2007 at 9:10 pm

    I have found IE version 7 on the page down VIEW WEB SOURCE to be a much better tool than trying to be Super eyes counting the amount of hacked address(s) on the bottom left hand corner. It shows every address in the websource, finally a tool for surfing that shows the hackers.

  3. Forseti Says:
    March 26th, 2007 at 9:58 pm

    Safari has done this for a while: (I have a copy of one such log here http://www.spamtrackers.eu/refdocs/phishlogin2.txt ).

    Really, using any version of Internet Explorer (or windows) is going to instantly make you more vulnerable to all sorts of problems. If you are a Windows user, I suggest you stick with firefox for safety reasons.

  4. Thea-marie Says:
    March 31st, 2007 at 2:40 pm

    Where can i report e-mail scam? website adress please

  5. Forseti Says:
    April 2nd, 2007 at 10:02 pm

    The first step is to identify where the spam has come from by looking at the mail’s full header (http://spamtrackers.eu/wiki/index.php?title=Headers), and then identify the registrar responsible for the domain.

    Spamhuntress has a page about this in her wiki here: http://spamhuntress.com/wiki/Where_to_report

    Otherwise, you can report the spam to organizations like Spamcop (http://www.spamcop.net/), though this is far less effective than a personalized complaint directly to the registrar.

  6. Allison Berry Says:
    April 4th, 2007 at 7:21 pm

    I was recently hacked - I hope I have fixed the situation… My friends were getting nasty comments from me and I do believe I logged in to one of those fake log-in boxes. While I was sending personal apology messages ( I don’t have many friends luckily ) I was looking at the comments that were left by this hacker. On one profile next to the nasty comment was this

  7. admin Says:
    April 5th, 2007 at 7:52 am

    I think the blog software ate what Allison was trying to write. Basically, the spammer commented on her friends’ profiles, using this word (take out the asterisks): a*s*s*h*o*l*e*.*.*.

  8. Bianca Says:
    April 17th, 2007 at 11:09 am

    I got hacked and the clear.gif is in front of my actual profile not allowing people to add me as a friend, send me messages or view my pics… is there anyway to delete that “block” from in front of my contact table? please let me know- it’d be much appreciated.

    Moderator: E-mail address removed by moderator. It would be enough to give us your myspace address. We’d be able to figure it out.

  9. Hamish Says:
    April 19th, 2007 at 6:17 am

    *sigh* - yet another reason why MySpace is the lowest form of website.

    It’s frustrating that such a poorly designed engine is so popular.

  10. Jamie Says:
    May 11th, 2007 at 3:22 am

    Yup, we were hacked too.
    Our band, as well as every other artist, is forced to use myspace.
    The “industry” looks at a band/artist myspace as part of their normal analysis of a band’s success.
    I’d rather use a secure forum with many customizable user features than myspace, but we are stuck maintaining a faulty system.
    Have you ever tried searching a friend in your own, (ahem), database?
    Hey, at least we are all unified as one through myspace, because we are all getting screwed.
    Peace, brothers and sisters.

  11. Mads Dam Says:
    May 27th, 2007 at 5:32 pm

    Thea-marie asked: “Where can i report e-mail scam? website adress please”

    I could recommend www.siteadvisor.com or www.phishtank.com

  12. Andy Says:
    July 21st, 2007 at 7:06 am

    There is a myspace clone site going around and also a fake myspace log-in page. I guess these can be used to fool a user to sign in using them. Then their username and pass are logged. :-(

  13. cayleyyy Says:
    July 30th, 2007 at 2:49 pm

    i have an image [http://x.myspace.com/images/clear.gif] in my networking section of myspace, so if i click it it brings me to the hacker’s website. is there any way for me to take the code out?

    thanks!

  14. britnesha winslow Says:
    November 6th, 2007 at 5:02 pm

    my myspace page is lock and i don’t know unlock my page someone keeps going with me knowing about it

  15. diana n Says:
    December 11th, 2007 at 3:10 am

    I have a question, someone I know is consistently getting their page hacked by a certain someone (who, I don’t know) in means of revenge, is there anyway to find out whose i.p. addressee other than the owner of the page that is logging on to the account? And any means to prevent it. They changed their e-mail, their password, etc. they just want to find out who keeps logging on to their page.

  16. admin Says:
    December 11th, 2007 at 6:38 am

    It’s not possible to see who’s logged in. But if you put an image on the page that you get from somewhere else - somewhere you have access to raw logs, and IF they access the About you part of the profile while logged on, you should be able to see it in the logs, as long as they have referrers enabled in their browser.

Leave a Reply