Myspace spam has been pretty low tech so far - with regards to the actual messages spammed, though the mechanism is sophisticated (stolen accounts, stolen passwords).
Here’s the source code of a spam intercepted today:
Since I’m notifying people whose Myspace profiles got “hacked”, I figured I should put up a more comprehensive post on how it might have happened, and what to do about it.
To recap: Lately a lot of spam has been posted as comments on profiles, and the person who seemingly posted the comment, has no idea it’s happening. The typical spam lately has been: iPhone, Macy’s gift card, Victoria’s secret gift card, Nintendo Wii, penis pills, ringtones, some kind of dating site, porn (one user unwittingly sent out porn bulletins). In the past we’ve seen bulletins sent out by unsuspecting people - and they were hawking Luis Vuitton bags, and webcam girls.
First of all, most of the time, your profile got hacked because you gave away your password to the bad guys. And there are a few ways it normally happens. See below. First for what you need to do to fix it:
You need to change your password. But that’s not always enough. And here’s why:
Even when you change your password, the bad guys keep sending out stuff in your name.
The reason could be that they placed rogue code inside your profile. Here’s an actual example of that:
http://spamhuntress.com/2007/03/23/anatomy-of-a-hacked-myspace-page/
In other words - you need to clear out code they left behind in your profile (often in the About me section), that gives them your new password each time you change, because they got you to “sign in again” - at a fake place. Then change the password again, taking care not to sign in again on a fake site.
Here’s how they got your password in the first place:
1)
Did you click on a link bearing a resemblance to this, and then go through the process?
Well, this guy at one time had a tracker he gave out, but these days the only thing he seems interested in is getting the password to your profile so he can send out his spam. And lots of people do give him their passwords, thinking they’ll get that tracker.
There is no software involved that I know of, so changing your password might be enough. Check your profile to see if there’s any strange code on it, or something got deleted.
2)
Then there’s this thing:
It’s a program, and it downloads automatically once you click on the link under that image. Apparently, it throws up some popups during or after installation that asks for your password. Vitalsecurity tried it (see here and here), and said it didn’t appear to work, but it does spam in your name.
This is software that resides on your local machine. I don’t know if changing your password is enough. We’ll need some feedback from someone who tested it to be sure. But change your password and see if that fixes it. And check your profile for any code added or removed by the bad guys.
3)
The third way is if you receive an e-mail that tricks you into logging into Myspace - only there’s a link in that e-mail going to a fake myspace site.
With this way, changing your password and checking your profile for rogue code should be enough.
4)
Links from bulletins and comments, leading to a fake myspace site. They copy the myspace site, with a lookalike site name. The fake site says you’ve been logged out and need to log in again.
You need to change your password, and check your profile for rogue code.
5)
Well, I don’t know if there is a fourth way. There probably is. But I’ll have to ask from help from the readers on this one. How about that tracking code that supposedly reads the cookies from Myspace if you’re logged in?
Conclusion:The people behind the two first methods do spam in your name - to get more people to give away their passwords. But I don’t know yet who’s responsible for the spam that’s not for the “scam”. If you know exactly how your password got pilfered, and you can show what kind of spam got posted through your profile, please let me know.
About a day ago I started notifying people when I saw their profiles spamming on Myspace. So far I’ve had almost 100% reply rate with thanks from those I’ve sent messages to. Here’s what I tell them:
Subject: Runaway comments
Hi,
I found a comment “from you” on so and so’s profile. Have a look. I know you didn’t write it… Bottom line: The bad guys have the password for your profile. You need to change your password. How much damage control you do is up to you of course. Some send out a bulletin making excuses and ask others not to sign up for the trackers you find ads for in the comments section. And to not install the ProfileWatcher software. Or not to log in to myspace after receiving some e-mail with some ruse to get you to log in after following a link from that e-mail.
The spam comments are usually found on profiles belonging to famous people. Typically those with many thousand friends, who get more than ten comments per day. Some have even disabled HTML in comments, to make the impact felt less when spammy comments don’t get removed.
What I SHOULD do of course, after I get the thank you note, is to follow up with a friend request 
And from now on I’ll add these links, telling the profile owner to check it out if they installed ProfileWatcher:
Vitalsecurity on ProfileWatcher 1.0, Vitalsecurity on ProfileWatcher 2.0
One of the latest spam runs on myspace involves penis enlargement pills. Comments starting like that is spreading like wildfire:
All Girls are straight up lying when they say that size does not matter, I got proof. …
And the domains involved so far are:
DCCOME.COM
EHEDS.COM
BOKIG.COM
IP: 216.188.29.68
Whois:
person: Gino Roberts
organization: Etty Productions Limited
email: admin@ettyproductionslimited.com
address: Rua Pedroso Alvarenga, 332
city: Sao Paulo
state: –
postal-code: 04531-001
country: BR
phone: +55.1183145121
nserver: ns1.plutodns.com 216.188.29.68
nserver: ns2.plutodns.com 216.188.29.68
Registration dates:
2007-02-27 00:59:00 UTC
2007-02-27 00:59:43 UTC
2007-03-06 00:40:56 UTC
The e-mail address referenced here is well known from NANAE, so he’s an e-mail spammer. He or someone else in his name also posted a number of posts on other groups, with “Yawn” as the only response to some debate (read flaming) going on.
What YOU can do about the spamming:
*Police your comments on Myspace. Remove spammy ones, or change to premoderated and don’t let them through. If someone comments on your profile, or sends a bulletin that seems spammy, let them know.
*If your name is attached to spammy comments or bulletins, change your password NOW, and send out a bulletin asking people to remove the spammy comments - thus spreading the word that people need to change their passwords if that happens to them. Check what bulletins you’ve sent, and remove those that are spammy.
Yep, that appears to be the latest scam.
I got a bulletin from a “friend” on MySpace today. I’ve sent him an e-mail to check if he sent it or not. I’m guessing not. No idea how this one works.
But the link you’re supposed to claim the giftcard at is
preesly.com
It redirects (in HTML) to an affiliate ID at directtrack, which (for me in Norway) eventually leads to a page where it says the offer isn’t available in my area (geotracking). That page has a poker affiliate ID redirect on it. But for those in the US, it eventually ends up on ConsumerResearchBureau.com
According to McAfee SiteAdvisor, they got mucho spam after registering on that site.
So, this is about spam, however it’s done.
Would you get a gift card from Macy’s after registering? I don’t know, and I’m not going to try and find out. I’ve got enough spam as it is.
I’ll leave out the whois for now, until I know for sure how that bulletin got sent.
Update: Just got a second bulletin from the same guy. This time he’s gushing about a Louis Vuitton bag. Yeah, right, I don’t think so. This is a GUY, not a girl. I doubt he’d willingly be seen with that thing!
Domain name this time: vdaybags.com
It seems every day it’s something else. I find them on profiles for famous singers or other people who get a lot of comments, have lots of friends and don’t moderate heavily.
Here’s one example of a profile spammed with that kind of comment, where HTML wasn’t disabled. Look for comments today from Chad and Wendy Lyn:
Jenny’s profile
Today’s catch is:
kerryissoverry.info/startnow.php
whoswaldo.info/getitnow.php
wswirl.info/dlnow.php
Do NOT go there! It throws up a 302 redirect to profilewatcher_setup.exe.
That site actually advertizes that software. Except, I can’t for the life of me figure out how an exe file can do any profile watching on MySpace, unless the program is instructing YOUR computer to do the watching, and maybe who knows what else…
Either way, it appears they’re doing some spamming. Those comments are (unsuccessfully on the profile I was watching) formatted to have a random MySpace graphic with that link under it. Stealth promoting, in other words. Anyone who clicks on the image, gets the program.
Whois info:
Created On:24-Jan-2007 05:16:32 UTC
Registrant Name:Janice Robb
Registrant Organization:ZeroPoint Search Solutions
Registrant Street1:1555 Sky Valley Dr.
Registrant Street2:#A101
Registrant Street3:
Registrant City:Reno
Registrant State/Province:Nevada
Registrant Postal Code:89523
Registrant Country:US
Registrant Phone:+1.7756241422
Registrant Email: janice@zpsearch.com
Name Server:NS1.GEODNS.NET
Name Server:NS2.GEODNS.NET
IP: 66.135.40.95
zpsearch.com is deemed unsafe by McAfee site advisor. They said the profilewatcher software was safe, but frankly, I don’t care. Zpsearch are spammers, and I don’t trust spammers! I’m fairly sure that software is doing a bit more than McAfee thought - at least today!
Paretologic is a bit more skeptical than McAfee - they point out you have to enter private credentials…
I highly doubt these people entered these comments of their own free will, which leaves the software as the likely culprit.
I thought I’d check out the specifics of the tracker scam on MySpace. I’ve seen some comments sections crammed full of those comments, typically saying in large font:
See who is spying on your MySpace page! Click here to start tracking your profile lurkers!
downloadthefox.net
trackyourspace.net
hellaadds.com
Update:
I’ve seen redirects from these to stalkertrack recently.
11021986.info
beeasy.info
What’s interesting, is that all of these are owned by the same person and are hosted on 64.131.64.86. The owner tends to use trainreqhost.com as the DNS servers, and also posted about selling hellaadds on a forum, under the name TrainReq. Another name I’ve seen associated with that domain, is Josh919 as a moderator on a forum.
Most of the addresses redirect directly to stalkertrack.com
All domains have whois protection on them.
Other domains associated with trainreqhost.com
essentialproxy.com - used to be on the same server as trainreqhost.
nightstarproductions.com - has the dns servers. The PHP info on essentialproxy.com references josh.nightstarproductions.com as well as webmaster@trainreghost.com. And Trainreq posted on Sla.ckers and used the nightstarproductions as an example of where he’d put MySpace cookie stealing code, only he couldn’t get it to work at first. And I found a working cookie stealer javascript on that domain as well. Oh, and there’s even a forum for support for the tracker customers. This you’ve got to see: h*tp://profileviewz.nightstarproductions.com/index.php?act=idx
So this guy actually DID sell a tracker in the past. But there’s been quite a bit of press about stalkertrack, and what’s been said is that in order to sign up, you need to hand the keys to the kingdom to the site - in other words, they spam ALL your friends on MySpace with their ad copy for the tracker. AND, you still don’t get the tracker - yet.
Can anyone help figure out who TrainReq is?
MySpace has a huge bull’s eye on it. With that many users, the potential for income is huge, if you figure out how to spam the system. We’ve seen many do that. The services that promise you can spy on who’s looking at your page, sometimes spam your friends, if you sign up for the service. And they sued Scott Richter… But there’s a twist I haven’t seen before.
Make a fan profile for a hugely popular band, then after it’s become very popular, change the name and launch it as your own profile..
(edited name out) did just that.
What used to be his tribute page for Petra (hugely popular Christian rock band), at http://www.myspace.com/petra is now his own page - the old URL is invalid, but all the people who added Petra as their friends, now has his profile in that spot instead. With all the comments entered for Petra still intact…
Tim says in his blog post (now removed) on what used to be Petra’s profile that he wouldn’t have done that, except MySpace blocked his own profile from sending comments. Hmmm, I just have to ask the question: Did he send LOTS of comments? It’s a valid question, but not one I know the answer for.
Anyway, rationalize it any way you want, it’s still dishonest!
Update, March 8th 2007:
This guy got in touch with me. At first he thought I’d slandered him and tried the usual legal bluff most people fall for. When that didn’t work, he asked me nicely to remove his name. The guy possibly DID send way too many comments, and got punished for it by Myspace. He argued that his own profile had had way more friends than the Petra profile, and that Petra isn’t his target audience. When it was time to promote his new album, he was locked out of doing it the way he wanted to, so he did (what to me is dishonest, even though I understand his reasoning - the end justifies the means) what he could to get the word out - he butchered his fan tribute site and put his own site there instead.
I guess the main two lessons from this story are these:
*Don’t send out way too many comments (or bulletins, messages or friend requests). With the current level of spamming happening on Myspace, you might be labeled a spammer and might lose the right to send comments or bulletins, maybe even messages.
*Don’t do the bait and switch, the backlash could cost you a lot - especially if someone like me gets her toes stepped on.
I did find a current profile for two members of Petra, that I put on my friends list. The artist who did the bait and switch is not my cup of tea, and long gone from my friend list.