Sunday, June 11, 2006

Anatomy of a Myspace Auto-Bulletin

If you haven't heard about Myspace.com as of yet, then roll over to the NASA headquarters and turn yourself in, because you must be from planet Pluto.

Myspace is a very popular social networking site used by mainly young people. In fact, it is so popular that is ranks 3rd in the most viewed websites in the US.

This popularity means big advertising revenue for the owner of Myspace - News Corporation. News Corp is one of the largest media conglomerate in the world.

While being popular on the internet can be a very good thing, it can also be a bad thing - just ask Microsoft.

Evil tricksters, shady advertising and phishing attacks have been plaguing Myspace for quite sometime now.

Recently I ran across one such shady advertising trick while surfing around on Myspace in a bored haze. Since I was bored, I took the time to dig into it a bit.

It used a catchy bulletin to drive users to a third party site.



As you can see in the status bar, we are being redirected to another site - graphic-myspace - which has a very similar looking name to Myspace. This is a common social engineering trick used to increase the likelihood that the targeted user will click and go on to the site.

The creator of Graphic-Myspace doesn't want to be known and therefore has registered the domain via DomainsByProxy.



Lets follow the link in the bulletin and look at "hip.html" -



As you can tell, the whole page is encoded and will be decoded in your browser using the JavaScript unescape function. While not really evil in nature, I have seen this trick used for years by web-based malware and other things.

Let's unescape it and see what we get.



In the code we see calls to several advertising pop-ups, nothing too crazy. But ahh..what is this iframe tag doing? Again while not evil in nature, iframes are commonly used to exploit client-side browser vulnerabilities.

Let's grab this "h1q0o2w9i.html" and see what is going on.



Ahh, we know this trick. Let's unescape it - see the red block.



Well, Well, look at that. Pretty sneaky. It is using a script to post the original message (see the first picture at the top) into the targeted user's bulletin space. This is what causes the auto bulletin posting.

This is also where the normal non-tech users says - "Whoa I didn't post that bulletin, what the hell is going on here??"

Myspace attempts to block the use of most scripts on their pages and this is why the link has to take the targeted user off to a third party site.

So basically, users click on the link and the bulletin is auto posted "by the user" back to all their friends, which then in turn repeats the process. This allows it to propagate around Myspace. But for what reason?

In this example, it looks like it is just being used to increase web traffic to a site and therefore increase advertising revenue for whoever owns Graphic-Myspace.

However, I have seen this trick used to spread Myspace phishing attacks and could be used to spread nasty malware designed to steal your bank login information.

Myspace is a ripe picking ground for non-tech people that can be tricked and the bad guys know this. Sooner or later they will use this fact to their advantage - which might be a very bad thing for you.

No comments:

Post a Comment