First I noticed a friend had added a video to my wall. It didn’t look like his usual stuff - being Scandinavian, he rarely posts in English, and he wouldn’t use slang. So I thought, hmmm…

Of course, I should have noticed that there was no play button on there, but that could have been faked too, so that’s no guarantee!

Next I notice this status update on his profile:

Got a video in my inbox called “Woww! Is thaat reallyy you in that viideo?” Do not click on it. It is a computer virus. And it does not come from me.

I told him immediately that he could track where that “video” had been posted by following the small links on his profile, and he could remove them from other people’s profiles, since “he” had posted them. I suggest others do that as well, if it happens to you!

Then I check the code on the page. There’s a script that’s too convoluted I don’t bother figuring it out (and my antivirus blocks the page as dangerous anyway), but I did note this:

I do however notice a list of IP numbers in the next table, just slightly obfuscated. One of those gives me (in a text browser) a page that includes the words:  Video | Facebook. And there’s also a file: setup.exe which is loaded on document.onclick and document.onkeydown

I also notice an address that seems to be loaded when you leave the page, going to an affiliate id 02979 at mexcleaner.in. That page includes this sentence:

Your computer is stongly infected by viruses! ‘ It can cause data loss and file damages and need to be cured as soon as possible

It then gives a bogus list of infections, along with a solution:

Affiliate ID 02979 at downloadmasters.org

A report on Siteadvisor from two days ago implicates that site as directing to Trojan.

———-

Update: Similar messages as used with these fake videos are known for a while on Twitter, and back then it was the Koobface trojan that was pushed. Here’s what Kee Heritage has to say about this.

A friend who got stung by this said she never clicked on any fake video, so she doesn’t understand how she got it. She has Panda antivirus on her computer, and the scan came up empty. TrendMicro however tends to block most of the pages used in this attack.

Update October 30:

From what I’ve seen of the fake videos, this TrendMicro writeup about Koobface looks very familiar - the addresses last used were blogspot addresses.

————

Sorry I’ve been incommunicado for so long. I figured I’d shift this blog over to the stuff I’m blogging about here, and so far this was the first thing that really got me going enough to divert from all the other stuff I’m doing. Sorry..

Spammers appear to have set their sights on Facebook for spamming purposes. But since outgoing links have rel nofollow, it’s no good for Googlejuice. So let’s examine an actual example of a group set up for spam purposes:

http://www.facebook.com/group.php?gid=56828903531

It’s a group touting something called ProfileLock. Problem is, there’s no such thing. It’s just a clever second attempt at hawking wares (in this case, it’s a SEO firm).

The website associated with the group is called GoogleMarketing101.com. Normally variations on Google are not owned by Google, so I checked. The address was in Florida, in an area where spammers abound. I checked the name, the address and the domain name. The owner has talked about Facebook and SEO before. And he’s also made a Facebook group before, only it didn’t do so well: http://www.facebook.com/pages/Google-Marketing-101/46023747363

So what does he do? He capitalizes on the paranoia of people who have lost their profiles before due to some infraction or other. And the guy who sent the invitation to me DID lose his profile once. THAT’s where viral comes into the picture. People are gullible, and join because they have a need. What they don’t realize is that this is just a ploy to get people to click on the link, which is what it’s actually about.

This particular group promises that if you post the name on your Facebook profile along with your ID number, you will lock it in. It’s a scam. That group is very likely to disappear. You’re better off saving that data on your computer somewhere.

I’m sure Joel wouldn’t consider himself a spammer. After all, he doesn’t send out invitations to this group himself, he tricks his friends into doing it. Yes, I have a friend in common with this guy. So I’m not so much saying he’s a spammer as I’m saying this group is a scam, and I’m lumping the attempt in with other stuff I see on the web that I consider “spammy”.

There’s a guy in my “network” who keeps on joining one network after another. And he always sends me invitations. They go straight in the “half spam” bucket.

The latest invitation piqued my curiosity. It was from mydailyflog.com, and it said:

Hi!
I would like to invite you to visit MyDailyFlog and see my latest photos.

And then the link, which was on this format:

http://www.mydailyflog.com/go/invite_register/randomusername/somenumber

Hmm, this doesn’t look to me like the link to a post with his latest photos? Because if he was sending me an invitation to view his latest photos, I’d be inclined to go check them out. But invite_register? That sounds awfully like fanbox behavior. How do I know they won’t create a profile for me just from that link? I had to test it, but not with my own e-mail address - I don’t want to encourage them to keep spamming me, so I find a random invitation in Google (yes I know, it’s ethically questionable, but Google has followed a bunch of those already, so…).

And yes, they have the e-mail address filled out, and are just waiting for my password.

Oh, and he has no photos at all yet, so this wasn’t a specific invitation to me, which I wouldn’t mind - for specific photos he manually invited me to see, but an attempt to get me to sign up.

I also checked the Terms of Service, and they state among other things that:

…You are solely responsible for any use of or action taken under your password on the Site. Your password may be used only to post Posted Content, review information regarding potential and completed transactions and otherwise access and use the Site and Services in accordance with these Terms and Conditions…. …You accept full responsibility for all transactions and other activity placed or conducted through your account and agree to and hereby release MyDailyFlog from any and all liability concerning such transactions or activity….

There’s just one problem with that… The e-mail I received was not sent by my friend, but by the dailyflog system - which means he either expressly gave them my address, or gave them access to his address book, presumably by giving them his webmail password.

So… Dailyflog sends out invitations, and you’re responsible. Now, why does that sound familiar?

Update: Very funny, I now got an invitation with a link identical to the one I put into this blog post. Serves me right for including the number at the end, which was identical to the number on the first invitation I got. So it’s possible that the number identifies a specific e-mail address regardless of who the “inviter” is?

I just noticed a new subscriber on my Youtube profile. So I checked it out, because I didn’t know the nick. I guess most that don’t have several hundred subscribers would do that, right?

This chick, that has a very sexy sounding nick, had 4,691 channel views and no videos. She joined February 22. So something’s up, right?

Right.

There’s a URL there. The only thing of interest on her profile. And this text:

yo ive got some pics on my profile at the link below
The link goes to xxfacebook.com, registered February 12, which is owned by

NA
Leah (support4242@yahoo.com)
+1.6502015463
Fax: +1.6502015466
3725 Blackburn st.
Dallas, P 75219
US

Sounds fake, right? Doesn’t even look like the e-mail address is legit. The phone number is apparently a cell phone number from California (Sprint PCS).
IP is: 209.200.16.122 (on webair)
But it just does a few 302 redirects, and ends up with an affiliate link to a classifieds site. Guess what kind..

When I search for the domain the spammer used, I find loads of profiles on Youtube, all with similar sounding names. This spammer has been very busy!

Most of the domains on the IP number are old (registered 2006)and don’t have many hits in search engines. But one has been used for similar looking spam on Myspace: matchmetonight.com. Check out the profile it’s used on: profile.myspace.com/35499848

It’s entered in the “Who I’d Like To Meet” field, and made invisible. The URL enters a loop of 302 redirects and goes nowhere.

provingsciencewrong.com is interesting. It’s a blog largely consisting of videos from Lonelygirl15. I’m sure you guys remember that whole thing, right? In other words: Stolen content, and unapologetically so.

webcamdaily.com is youtube and hi5 spam, but is also an old domain. webcamtag.com is used for hi5 spam. webcamwild.com is for myspace and regular forum spam.

All the old domains have whois protection, but I’m guessing there are lots of newer domains that don’t. The spammer probably figured out it’s too expensive, and fake info works just as well.

Apparently, the spammers haven’t stopped looking for holes to exploit on myspace. I kept getting e-mails about “Tom” wanting to be my friend, but never saw a friend request waiting for me, so I wondered what that was about. I pondered that the name was pretty close to the Tom we all know - the one who’s everybody’s first friend.

Then I refreshed my home page, and saw there was another friend request just after I’d gotten through the list of existing ones - yep, it was Tom again.

And it was a porn spammer. I moved the mouse pointer over the profile, to see if there were any surprises, and found that the “about me” blurb was hyperlinked. Normally, any hyperlinks these days go to msplinks.com. Myspace substitutes any links going to outside sites, so that they can turn off links if they find they go to places they don’t like. But here was one place that seemed to have gotten past their substitution filters. So I checked it out. Here’s what they’d done:

I guess the real Tom needs to update his filters!

And it also shows you shouldn’t trust myspace even now that they’re fighting spam a lot better. I was able to mark that friend request as spam right away - kudos to Myspace for that!

The website was registered to

Galam, Ali adamfaraz@gmail.com
4415 St. Michaels Court
Sugar Land, Texas 77479
United States
(512) 772-4659

That’s a real address, BTW, but the phone number is a land line from Bastrop, Texas, and it’s WAY too far from Sugar Land to be the same exchange. Bastrop is closer to Austin, and Sugar Land is closer to Austin.

There’s no Ali Galam in Texas (that I can find), and no Adam Faraz.

The website is hosted at The Planet (DNS servers from Hostgator), and does a 301 redirect to an affiliate site with whois pointing to Jamaica.

Update: Looks like the spammers have discovered this hole en mass. I just noticed stalkertrack is back.

I got a comment for approval on my Myspace profile. It was posted today.

The video looked like it might contain porn. I wouldn’t approve that, but I thought, what if I’m wrong? I mean, few of the visitors to my profile would be stupid enough to post a porn video to it, and certainly not the gentleman who posted it.

So I clicked on it. It loaded normally at first, and then I noticed the page got dark, and up popped a message from Myspace Firefox saying it’s a “Suspected Web Forgery”.

Screen capture

Looking at it more closely, it’s pretty obvious. The URL contains Myspace in it - misspelled, and a few more letters, and it’s asking me to log in - a page that looks completely like a real Myspace page.

Clicking on “Get me out of here!” took me to Google.

But the guy who sent me that comment obviously got hacked, so somehow, the bad guys got past his defenses.

The whois and hosting is in China.

I wondered what the heck this was about. Had myself half convinced it was a Firefox issue, then saw the same behavior in IE. Check out this Myspace profile: April. The only thing on there that points anywhere is the “view” on the extra music player.
The whole profile is obscured by an image from toironorfold.com, which is owned by the band Making April, which also has a Myspace profile. Even the domain name points to the myspace profile. They have an amazing number of friends.

I don’t know what the heck the point is, but I don’t like being played.

Whatever their point is, they’re misusing the system.

Yep, I know I sound like a spoil sport…

I maintain a “sleeper profile” on myspace for a friend of mine, who’s a guy. It’s not yet in use, except for sending the occasional message.

Today I got a friend request from Edda, who had a Gorilla for a profile picture. I checked the profile out, thinking it was legit.

At first it looked unremarkable - she had 16 friends. But then a gif file loaded, saying she’d moved her profile to Adultfriendfinder.

The file was on Photobucket (see here), but was served through a 302 redirect from this domain:

synchrism.info

The image links to that website as well. The domain was registered yesterday, and although it worked a few hours ago, by now it only serves up a socket error. I didn’t have a look at the website when I first found this, and the whois data is protected.

Either way, this is spam, pure and simple.

Tom just announced that they’d employed solutions against the spam on myspace a few days ago, but this might be rather hard to fight against. I’m sure other guys have seen it before, but since I’m female, and that profile is rather hard to find, this was my first time to see the “fake myspace profile”. And get this, she had 17 friends now, so people are unfortunately falling for this.

Well, in case the spammers read this, here’s another report (from Tom), about the legal success Myspace has in fighting spammers.

I contacted Myspace April 13th with this text:

This guy has fake login code on his profile:
(link to the profile I was talking about)

I’ve contacted him multiple times about it, and he doesn’t care.

Today I got this response from Myspace UK:

Thank you for contacting MySpace Customer Support.

The issue seems to be resolved now. If you are still experiencing difficulties please reply to this e-mail.

Sincerely,

MySpace

I then immediately checked the profile in question. No change. Still got fake logins all over it, so I sent this as a reply:

He’s still got rogue code on his profile. Like I said, he doesn’t care.

My beef right now, is with that particular Myspace employee for not even recognizing a profile with fake login code on it.

Hey, maybe *I* should work for them? At least I can recognize bad code when I see it?

BTW, that was his profile I analyzed in the Anatomy of a hacked myspace page post.

I sent an abuse complaint to websitewelcome.com, about two domains involved in myspace bulletin spam. The domains were:

playdate-fun.com
marketing-dept-v.com

This is what I got in response:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

abuse@websitewelcome.com
retry timeout exceeded