MySpace Phishing Attack Leads Users to Zango Adware

An anonymous reader writes "Security site Spywareguide.com reports that a new worm is doing the rounds on MySpace. Taking advantage of the HREF feature in Quicktime movies, a fake login bar is displayed on infected users profiles via some JavaScript coding. If you login (via one of the many hacked servers hosting the JavaScript and movie file) you'll find you start spamming messages containing a pornographic movie. That movie leads to a site that's pushing Zango Adware left, right and center. Is this more evidence that Zango has yet to clean up their affiliate networks?"

Some more info and removal instructions

[wpmegee]

Lolo has written a pretty good MySpace blog entry about this, along with some removal instructions (in the comments and in my post also). One of this guy's hobbies is exposing MySpace scammers. He actually predicted about a week ago that an exploit like this would happen. Friend him if you have a MySpace. I can't tell who came up with this information first, Lolo or these guys but Lolo may have gotten there first. Either way you need to read his blog posts if you use MySpace...

Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

Here's how to remove it:

Use the FIND command or CTRL F to find the word LOGIN.

It starts with this line of code ... I have stripped out the first "

style type="text/css"
div table td font { display: none }
div div table tr td a.navbar, div div table tr td font { display: none }
.testnav { position:absolute; top: 136px; left:50%; _top: 146px

The code was at the very end/bottom of my ABOUT ME section.

It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!

To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.

Re:Some more info and removal instructions

[zlogic]

I'd recommend using the Stop Autoplay extension for Firefox. It works just like Flashblock, but for movies and sounds. And it blocks background sounds and music as well.

It's hard to control affiliates.

[metalhed77]

Listen, in any affiliate program policing affiliates can be impossible. I think Zango's a disreputable and disgusting company, but that doesn't mean they're guilty in this case. Blame the affiliates.

Re:Quicktime is the problem?

[Roy+van+Rijn]

This is indeed a MySpace problem. Using simple Javascript it could simulate user actions and is thus vulnarable.
The problem with the web is always a two-folded, rich content and possibilities but still secure..

One more thing you could do with Javascript is having a simple PHP script that writes this to your database:
'clipboardData.getData("Text");'

This does exacly what you think it does, fetch your clipboard data (might contain personal stuff!!). Lot of people copy-paste things like passwords and forget its still on the clipboard.

One more (older) snippet I found, doesn't work with most PC's nowadays:
A piece of VBSCRIPT you could put on your website, it opens the visitors CD-tray ;-)

Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection

if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If

There are so many things/snippets to be discovered and used for evil purposes.. :-(

[Slightly OT] Phishing -- a partial solution

[shreevatsa]

1. Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.com /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys?
2. A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.

So given that Grandma is going to use the same password everywhere, and isn't going to be very alert to phishing, how do you still make it safe for her to use the internet? (Or, if you don't care about Grandma: How can you get away with remembering only one password and be reasonably safe against phishing?)

There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash, developed by Dan Boneh and others at Stanford. It's available as a Firefox extension. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not, new, but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper (or see the Powerpoint presentation if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross.)

Re:[Slightly OT] Phishing -- a partial solution

[shreevatsa]

No. If you are in a place where you can't use the extension (cybercafe, someone else's computer, etc.), you can go to http://www.pwdhash.com/ and generate it there. You can also get it as a bookmarklet instead of an extension, BTW.

Re:[Slightly OT] Phishing -- a partial solution

[shreevatsa]

The implementation is available, and you can generate the hashed passwords yourself, even offline. Save the implementation and put it somewhere you're sure won't go down.
I doubt the project will die, though.

Firefox Extension: NoScript

[shodai]

Firefox: NoScript.
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts do agree: Firefox is really safer with NoScript ;-)

Re:Quicktime is the problem?

[scsscs]

Because MySpace doesn't allow javascript. Using the movie gets around the filters.

Re:How do you get rid of Zango?

[dotbenjamin]

Spybot: Search & Destroy will handle it. And it's freeware.

Re:What idiot at Apple put that in?

[NMerriam]

That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.

What security hole? Quicktime is a multimedia authoring and playback tool, just like Flash, RealPlayer, WMP, and every other multimedia system. It needs to be able to get media, display it, and allow interactive behavior just like every other multimedia program. You could create the exact same "security hole" using 100% W3C-approved SMIL.

The only security hole is the server allowing unauthorized Javascript to initiate MySpace user actions without any confirmation. Someone clever realized that the Javascript blocks wouldn't recognize JS sent from the plugin -- that doesn't mean the plugin has a security hole, it means the web application itself was vulnerable to a malicious injection of code from perfectly normal and common network behavior. The plugin worked perfectly and didn't do anything sketchy with the OS or network. If allowing code to be sent is a security hole then every browser has a huge security hole called the anchor tag.