Spamhuntress

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

I wondered what the heck this was about. Had myself half convinced it was a Firefox issue, then saw the same behavior in IE. Check out this Myspace profile: April. The only thing on there that points anywhere is the “view” on the extra music player.
The whole profile is obscured by an image from toironorfold.com, which is owned by the band Making April, which also has a Myspace profile. Even the domain name points to the myspace profile. They have an amazing number of friends.

I don’t know what the heck the point is, but I don’t like being played.

Whatever their point is, they’re misusing the system.

Yep, I know I sound like a spoil sport…

I maintain a “sleeper profile” on myspace for a friend of mine, who’s a guy. It’s not yet in use, except for sending the occasional message.

Today I got a friend request from Edda, who had a Gorilla for a profile picture. I checked the profile out, thinking it was legit.

At first it looked unremarkable - she had 16 friends. But then a gif file loaded, saying she’d moved her profile to Adultfriendfinder.

The file was on Photobucket (see here), but was served through a 302 redirect from this domain:

synchrism.info

The image links to that website as well. The domain was registered yesterday, and although it worked a few hours ago, by now it only serves up a socket error. I didn’t have a look at the website when I first found this, and the whois data is protected.

Either way, this is spam, pure and simple.

Tom just announced that they’d employed solutions against the spam on myspace a few days ago, but this might be rather hard to fight against. I’m sure other guys have seen it before, but since I’m female, and that profile is rather hard to find, this was my first time to see the “fake myspace profile”. And get this, she had 17 friends now, so people are unfortunately falling for this.

Well, in case the spammers read this, here’s another report (from Tom), about the legal success Myspace has in fighting spammers.