Spamhuntress

I just noticed a new subscriber on my Youtube profile. So I checked it out, because I didn’t know the nick. I guess most that don’t have several hundred subscribers would do that, right?

This chick, that has a very sexy sounding nick, had 4,691 channel views and no videos. She joined February 22. So something’s up, right?

Right.

There’s a URL there. The only thing of interest on her profile. And this text:

yo ive got some pics on my profile at the link below
The link goes to xxfacebook.com, registered February 12, which is owned by

NA
Leah (support4242@yahoo.com)
+1.6502015463
Fax: +1.6502015466
3725 Blackburn st.
Dallas, P 75219
US

Sounds fake, right? Doesn’t even look like the e-mail address is legit. The phone number is apparently a cell phone number from California (Sprint PCS).
IP is: 209.200.16.122 (on webair)
But it just does a few 302 redirects, and ends up with an affiliate link to a classifieds site. Guess what kind..

When I search for the domain the spammer used, I find loads of profiles on Youtube, all with similar sounding names. This spammer has been very busy!

Most of the domains on the IP number are old (registered 2006)and don’t have many hits in search engines. But one has been used for similar looking spam on Myspace: matchmetonight.com. Check out the profile it’s used on: profile.myspace.com/35499848

It’s entered in the “Who I’d Like To Meet” field, and made invisible. The URL enters a loop of 302 redirects and goes nowhere.

provingsciencewrong.com is interesting. It’s a blog largely consisting of videos from Lonelygirl15. I’m sure you guys remember that whole thing, right? In other words: Stolen content, and unapologetically so.

webcamdaily.com is youtube and hi5 spam, but is also an old domain. webcamtag.com is used for hi5 spam. webcamwild.com is for myspace and regular forum spam.

All the old domains have whois protection, but I’m guessing there are lots of newer domains that don’t. The spammer probably figured out it’s too expensive, and fake info works just as well.

Apparently, the spammers haven’t stopped looking for holes to exploit on myspace. I kept getting e-mails about “Tom” wanting to be my friend, but never saw a friend request waiting for me, so I wondered what that was about. I pondered that the name was pretty close to the Tom we all know - the one who’s everybody’s first friend.

Then I refreshed my home page, and saw there was another friend request just after I’d gotten through the list of existing ones - yep, it was Tom again.

And it was a porn spammer. I moved the mouse pointer over the profile, to see if there were any surprises, and found that the “about me” blurb was hyperlinked. Normally, any hyperlinks these days go to msplinks.com. Myspace substitutes any links going to outside sites, so that they can turn off links if they find they go to places they don’t like. But here was one place that seemed to have gotten past their substitution filters. So I checked it out. Here’s what they’d done:

I guess the real Tom needs to update his filters!

And it also shows you shouldn’t trust myspace even now that they’re fighting spam a lot better. I was able to mark that friend request as spam right away - kudos to Myspace for that!

The website was registered to

Galam, Ali adamfaraz@gmail.com
4415 St. Michaels Court
Sugar Land, Texas 77479
United States
(512) 772-4659

That’s a real address, BTW, but the phone number is a land line from Bastrop, Texas, and it’s WAY too far from Sugar Land to be the same exchange. Bastrop is closer to Austin, and Sugar Land is closer to Austin.

There’s no Ali Galam in Texas (that I can find), and no Adam Faraz.

The website is hosted at The Planet (DNS servers from Hostgator), and does a 301 redirect to an affiliate site with whois pointing to Jamaica.

Update: Looks like the spammers have discovered this hole en mass. I just noticed stalkertrack is back.

I got a comment for approval on my Myspace profile. It was posted today.

The video looked like it might contain porn. I wouldn’t approve that, but I thought, what if I’m wrong? I mean, few of the visitors to my profile would be stupid enough to post a porn video to it, and certainly not the gentleman who posted it.

So I clicked on it. It loaded normally at first, and then I noticed the page got dark, and up popped a message from Myspace Firefox saying it’s a “Suspected Web Forgery”.

Screen capture

Looking at it more closely, it’s pretty obvious. The URL contains Myspace in it - misspelled, and a few more letters, and it’s asking me to log in - a page that looks completely like a real Myspace page.

Clicking on “Get me out of here!” took me to Google.

But the guy who sent me that comment obviously got hacked, so somehow, the bad guys got past his defenses.

The whois and hosting is in China.

I wondered what the heck this was about. Had myself half convinced it was a Firefox issue, then saw the same behavior in IE. Check out this Myspace profile: April. The only thing on there that points anywhere is the “view” on the extra music player.
The whole profile is obscured by an image from toironorfold.com, which is owned by the band Making April, which also has a Myspace profile. Even the domain name points to the myspace profile. They have an amazing number of friends.

I don’t know what the heck the point is, but I don’t like being played.

Whatever their point is, they’re misusing the system.

Yep, I know I sound like a spoil sport…

I maintain a “sleeper profile” on myspace for a friend of mine, who’s a guy. It’s not yet in use, except for sending the occasional message.

Today I got a friend request from Edda, who had a Gorilla for a profile picture. I checked the profile out, thinking it was legit.

At first it looked unremarkable - she had 16 friends. But then a gif file loaded, saying she’d moved her profile to Adultfriendfinder.

The file was on Photobucket (see here), but was served through a 302 redirect from this domain:

synchrism.info

The image links to that website as well. The domain was registered yesterday, and although it worked a few hours ago, by now it only serves up a socket error. I didn’t have a look at the website when I first found this, and the whois data is protected.

Either way, this is spam, pure and simple.

Tom just announced that they’d employed solutions against the spam on myspace a few days ago, but this might be rather hard to fight against. I’m sure other guys have seen it before, but since I’m female, and that profile is rather hard to find, this was my first time to see the “fake myspace profile”. And get this, she had 17 friends now, so people are unfortunately falling for this.

Well, in case the spammers read this, here’s another report (from Tom), about the legal success Myspace has in fighting spammers.

I contacted Myspace April 13th with this text:

This guy has fake login code on his profile:
(link to the profile I was talking about)

I’ve contacted him multiple times about it, and he doesn’t care.

Today I got this response from Myspace UK:

Thank you for contacting MySpace Customer Support.

The issue seems to be resolved now. If you are still experiencing difficulties please reply to this e-mail.

Sincerely,

MySpace

I then immediately checked the profile in question. No change. Still got fake logins all over it, so I sent this as a reply:

He’s still got rogue code on his profile. Like I said, he doesn’t care.

My beef right now, is with that particular Myspace employee for not even recognizing a profile with fake login code on it.

Hey, maybe *I* should work for them? At least I can recognize bad code when I see it?

BTW, that was his profile I analyzed in the Anatomy of a hacked myspace page post.

I sent an abuse complaint to websitewelcome.com, about two domains involved in myspace bulletin spam. The domains were:

playdate-fun.com
marketing-dept-v.com

This is what I got in response:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

abuse@websitewelcome.com
retry timeout exceeded

This has happened way too many times for me to forget about it:

It happens as I submit a spam complaint.

And since I apparently can’t reach myspace, I’ll post it here. It’s user number 181647733. CSS is hiding most of the normal myspace layout, instead displaying a grinning condom promising 3 free packs of condoms if people click on him. Who’d like to trade their e-mail address to the bad guys in order to get three packs of condoms? You realize that’s giving the spammers PERMISSION to send as much spam as they possibly can to you, right?

One girl had used CodeMyLayout.com, and had dutifully inserted the code they gave her.

Problem was, they placed an “ad” in the upper left corner, and it covers the “home” link on Myspace. There’s nothing bad on their page, it’s just a bit opportunistic.

The code is easy enough to guess - link under background image with absolute placement in the upper left corner, and big enough so it covers the home link - nothing fancy.

I’ve been talking to a guy who kept getting his password stolen. I thought I’d break down what happened to him.

I noticed his profile had sent out an excessive number of bulletins, so I went to his profile to ask him to remove them. And when I tried to click on “send message”, nothing happened. Hmmm, looking at the bottom of the browser window - under my mouse pointer was ezoff4.net. I checked it, and it redirects (302) to logintonyspaices.com/high.

Image to big to fit into blog, click here to see it.
That link is under the whole section with his photos and the panel with contact options. And under the “home” link at the top. But if you try to click on one of the links to the right of “home”, you get another link. And this time it’s a myspace link, with a standard (URL exploit) redirect at the end, to:

a51271a26.com

And that site has a (302) redirect to a long URL. It’s got all the myspace junk you expect, except there are no / until the very end, and at the very end you again find a51271a26.com.

That one would probably fool quite a few less savvy surfers (which means most myspace users, apparently).

The link is actually under an image covering the Myspace links.

There’s even one more redirect hidden somewhere (haven’t found the location of the link yet): profile121.com. Same procedure as the really long myspace lookalike URL.

All these bogus links are under this image, with size set to extra large: x.myspace.com/images/clear.gif

Here’s the code the bad guys inserted:

More on hacked myspage passwords here:

http://spamhuntress.com/2007/03/17/how-your-myspace-got-hacked/