A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:
At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:
..."Firefox password grabber"? Oh dear.
The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge
As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case,
Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge
The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...
We detect this as
FoxPass.
Written by Christopher Boyd on August 26th, 2008 with comments disabled.
Read more articles on Uncategorized.
A colleague of mine had a private message sent to them on Facebook yesterday from the account of a friend. The message is related (of course) to the recent
Facebook worm:
Click the link, and you'll see something like this:
Click to Enlarge
Yes, it's Ye Olde Fake Codec installer, hosted on what appears to be a hacked website. As always, pay close attention to what you're being sent from your friends. If it doesn't
seem like something they'd send you, that's probably because they didn't...
Written by Christopher Boyd on August 25th, 2008 with comments disabled.
Read more articles on Uncategorized.
Another day, another useless message being kicked around Facebook:
If you see this, please - ignore it and tell your friends off for sending it to others in the first place ;)
Written by Christopher Boyd on August 25th, 2008 with comments disabled.
Read more articles on Uncategorized.
One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:
...or like this:
Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:
1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen
What if the process could go like this:
1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site
You'd miss that vital clue - the failed login - and assume everything was okay.
Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:

Click to Enlarge
Here I am, entering my login details into the page:
At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.
However, the Phish page takes you to a
page hosting an encoded base64 script (inside which, the hidden code goes about its business of logging you into the site for real. No, we're not going to make it easier for wannabe Phishers and show everyone how its done).
From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!

Click to Enlarge
Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:

Click to Enlarge
From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.
Written by Christopher Boyd on August 22nd, 2008 with comments disabled.
Read more articles on Uncategorized.
I'm on holiday this week, but thought I'd better give this a mention anyway (plus, when did being on holiday ever stop me from posting stuff on blogs, right?)
I was surprised to see this posted to the comments section of the
Sunbelt Blog:
I was about as surprised as The Dean was!
To quote a further post from The Dean:
"Well, that's weird. Isn't spywareguide Paperghost's blog? I know he
wouldn't spam here. And, the link on the first comment goes to a 404
page."So, we have someone spamming with broken English, dropping links to 404 pages on Spywareguide. Curious.
Now, I did have some suspicions on this - for starters, the recent blogs regarding the pirate movie websites that pop Zango installers just hit a few
news websites. As
this article mentions, a lot of the sites involved in this are from Asian regions - China, Indonesia etc. I couldn't help but notice the name of the poster was "Tam" - a common name in certain parts of Asia.
Coincidence? Or a possible affiliate not too happy about this being highlighted? Well, a quick email later and the results for the spammer are in:
A potentially forged Reverse DNS aside, it's a strange thing indeed that they just happen to resolve to Vietnam given that a good portion of these sites are in Asia, isn't it?
I think I'll see if any are owned by someone called "Tam".
When I return from my holiday, of course....
Written by Christopher Boyd on August 19th, 2008 with comments disabled.
Read more articles on Uncategorized.
This is pretty interesting. After a week or two of seeing
CNN spam, then
MSNBC spam (both of which allude to "breaking news stories" in order to get peoples attention), it seems the people behind those attacks are now sending out plain emails (with none of the allusions to being from major news networks) that simply say "BREAKING news" in the title field:
If you visit the link in the email, you'll see this:
Click to Enlarge
I don't believe I've seen the length, rating and viewcount under the video before so that's likely a new tactic they've employed. Looks like they need to hire a spellchecker though...
Written by Christopher Boyd on August 17th, 2008 with comments disabled.
Read more articles on Uncategorized.
The practice of affiliates signing up with Zango then hiding pirated movies behind their installer prompt ([
1], [
2]) takes another twist, as we go hunting for TV episodes instead of movies and find....
Click to Enlarge
......TV shows (streamed from Chinese Youtube-style websites for the most part, though a lot of the clips have been pulled for breaking ToS on the sites in question), hidden behind Zango installer prompts. Many of the episodes are uploaded by
individuals who link back to Warez sites (such as the Xinoa.net site in his profile), so these are clearly not all legitimate uploads. Some of the videos linked to
may be legitimate, but for the most part, the videos across the sites are
branded with Chinese
BitTorrent websites, video rip portals with the name of the site
branded onto the clip , deleted for being an
unauthorised upload and so on).
Obviously, this is something of a mini industry we have here but I'm faintly alarmed that so many of these affiliates are happily churning out these kinds of sites. I'm also pretty sure Zango doesn't want people seeing what effectively says "Free ripped off movies online sponsored by Zango" on their installer prompts, either.
As a side note, it's not just Zango affiliates doing this - here's another example, this time for something called "Cpalead.com" that wants you to fill in a survey in return for seeing "free" episodes of Lost:

Click to Enlarge
In case you were wondering, my monitor isn't broken, they just grey out the page when the popup appears. The Lost episodes appear to be ripped by end-users and uploaded to Megavideo.com.
The sites above are
lost-stream(dot)com
ietv(dot)co.uk/category/watch-lost-online
watchprisonbreakonlinefree(dot)com
watch-lost-online(dot)info
www.heroesstreaming(dot)com
I guess I ended up with a trilogy after all.
Written by Christopher Boyd on August 15th, 2008 with comments disabled.
Read more articles on Uncategorized.
A few days ago, I wrote about a site asking you to install Zango before you could view the site content (which happens to be
pirated movies). Well, another site has come to light doing a similar thing - I'm starting to wonder how many of these are actually out there. It's also served to highlight what I feel is a particularly confusing popup box, but we'll get to that later. First off, here's the website in question:
Click to Enlarge
Bestcinemaonline(dot)com. As you can see, the site is similar to the last one (except that site is registered
anonymously to an individual in China, whereas this one is registered to
someone in Indonesia). Also, the format is different - the last site was more of a "movie repository", whereas this one takes the shape and style of a blog with each individual entry pointing to a film. And what films they are!
X-Files!

Click to Enlarge
Hellboy! (Is that even out yet?)
As you might have expected, a lot of the movies end up looking like this when attempting to watch them:
Click to Enlarge
.....whoops.
I must also give a special mention to one of the most confusing popup warnings I've ever seen - it really threw me, and I admit I nearly installed Zango accidentally after seeing it. If (when prompted with the Zango installer box) you click "Cancel", this appears in the middle of your screen:

"Click OK to Cancel or Click "Cancel" to continue the installation".
.....Whaaaaaa? That's a bit of a brain bender, right there. I hope this set of writeups doesn't become a Trilogy...
Written by Christopher Boyd on August 15th, 2008 with comments disabled.
Read more articles on Uncategorized.
Here's a site - movietvonline(dot)com - that requires you to install Zango in order to view the content.

Click to Enlarge
Nothing unusual there, though I did think the owners of the website were pushing things a
little, perhaps, to ask you to install something to view content you could view for free on the
official website.
Anyway.
Turns out I was somewhat wrong, because they're not asking you to download Zango in order to watch
trailers:

They want you to agree to install Zango in order to view whole
movies, some streamed on the movietvonline website from other sources, others in the form of broken up downloads hosted on file-downloading sites.
Here's a shot of what appears to be a badly made camcorder (complete with people talking and scrunching up paper in the background) streamed on the website:
Clearly, the Joker isn't asking Batman "Why so serious" - he's asking him why the camcorder rip is so seriously bad. In fact, the whole site appears to be nothing more than a mass repository of dubiously acquired movie copies:

Click to Enlarge
...Holy Pirated Content, Batman!
Written by Christopher Boyd on August 13th, 2008 with comments disabled.
Read more articles on Uncategorized.
« Older articles
No newer articles