MySpace Phishing Attack Leads Users to Zango Adware

An anonymous reader writes "Security site Spywareguide.com reports that a new worm is doing the rounds on MySpace. Taking advantage of the HREF feature in Quicktime movies, a fake login bar is displayed on infected users profiles via some JavaScript coding. If you login (via one of the many hacked servers hosting the JavaScript and movie file) you'll find you start spamming messages containing a pornographic movie. That movie leads to a site that's pushing Zango Adware left, right and center. Is this more evidence that Zango has yet to clean up their affiliate networks?"

Sigh

[0123456]

I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?

Re:Sigh

[suv4x4]

Well, at least it'll get fixed now...

It won't get fixed because it's not a bug. Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone.

Phishers just concentrate on the easiest method available. You take it away: they find another method. They don't need scripting at all.

Re:Sigh

[Anne+Thwacks]

There are two reliable methods by whch all spamming, phishing, etc could be stopped for good:

(1) Use of cruise missiles against the perpetrators

(2)the same what that on-line gambling was stopped - action against the credit card companies.

All this stuff is for monitary reward - read "credit card transactions". No Credit card involvement means no problem.

And dont come with that "its the foreigners doing it" Who ever is doing it, its Americans paying, with American credit cards and banks. None of the stuff being pushed thro spam is physically available to anyone else. All the phishing is to take credit card details, and all the credit cards are American.

As been said time and time again .... Follow the MONEY

Some more info and removal instructions

[wpmegee]

Lolo has written a pretty good MySpace blog entry about this, along with some removal instructions (in the comments and in my post also). One of this guy's hobbies is exposing MySpace scammers. He actually predicted about a week ago that an exploit like this would happen. Friend him if you have a MySpace. I can't tell who came up with this information first, Lolo or these guys but Lolo may have gotten there first. Either way you need to read his blog posts if you use MySpace...

Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

Here's how to remove it:

Use the FIND command or CTRL F to find the word LOGIN.

It starts with this line of code ... I have stripped out the first "

style type="text/css"
div table td font { display: none }
div div table tr td a.navbar, div div table tr td font { display: none }
.testnav { position:absolute; top: 136px; left:50%; _top: 146px

The code was at the very end/bottom of my ABOUT ME section.

It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!

To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.

Re:Some more info and removal instructions

[zlogic]

I'd recommend using the Stop Autoplay extension for Firefox. It works just like Flashblock, but for movies and sounds. And it blocks background sounds and music as well.

Quicktime is the problem?

[Ark42]

Sounds like MySpace is the problem here.

To summarize, I think that the situation goes like this: A user places a movie file on their page manually to start with. People visiting that page view the movie which loads a link containing javascript. The javascript modified that MySpace user's profile to include the movie somehow.

Why do you even need a movie for this to happen? Why can javascript just change an entire MySpace page around? It sounds like the entire problem here is that MySpace users get too much customization abilities over their pages. A simple onload="infectuser()" javascript line would seem to me like it could accomplish the same worm effect.

Re:Quicktime is the problem?

[Roy+van+Rijn]

This is indeed a MySpace problem. Using simple Javascript it could simulate user actions and is thus vulnarable.
The problem with the web is always a two-folded, rich content and possibilities but still secure..

One more thing you could do with Javascript is having a simple PHP script that writes this to your database:
'clipboardData.getData("Text");'

This does exacly what you think it does, fetch your clipboard data (might contain personal stuff!!). Lot of people copy-paste things like passwords and forget its still on the clipboard.

One more (older) snippet I found, doesn't work with most PC's nowadays:
A piece of VBSCRIPT you could put on your website, it opens the visitors CD-tray ;-)

Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection

if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If

There are so many things/snippets to be discovered and used for evil purposes.. :-(

Re:Quicktime is the problem?

[scsscs]

Because MySpace doesn't allow javascript. Using the movie gets around the filters.

Re:systems prone to this?

[Neil+Hodges]

There's no way that's true; the Zango adware itself is written for Windows and thus would never be installed on other operating systems. The ads themselves, however, would still come.

Re:How do you get rid of Zango?

Um... Add or Remove Programs?

[Slightly OT] Phishing -- a partial solution

[shreevatsa]

1. Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.com /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys?
2. A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.

So given that Grandma is going to use the same password everywhere, and isn't going to be very alert to phishing, how do you still make it safe for her to use the internet? (Or, if you don't care about Grandma: How can you get away with remembering only one password and be reasonably safe against phishing?)

There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash, developed by Dan Boneh and others at Stanford. It's available as a Firefox extension. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not, new, but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper (or see the Powerpoint presentation if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross.)

Re:[Slightly OT] Phishing -- a partial solution

[shreevatsa]

No. If you are in a place where you can't use the extension (cybercafe, someone else's computer, etc.), you can go to http://www.pwdhash.com/ and generate it there. You can also get it as a bookmarklet instead of an extension, BTW.

Re:[Slightly OT] Phishing -- a partial solution

[ArizonaJer]

One concern I'd have is: What if the PwdHash project dies and their site goes offline permanently? And let's presume that the extension is also no longer available, or just that you're using a computer without it. As I understand it, the user would then have no way of generating or even knowing what his/her passwords are.

In this situation, you'd have to reset all your passwords, but even that would be tricky because many sites demand your old password before you set a new one.

I suppose one could use the PwdHash site's form to generate all one's hashed passwords and then store them locally in an encrypted file. But I thought one purpose of PwdHash was to make password management easier, not harder.

Re:[Slightly OT] Phishing -- a partial solution

[shreevatsa]

The implementation is available, and you can generate the hashed passwords yourself, even offline. Save the implementation and put it somewhere you're sure won't go down.
I doubt the project will die, though.

Firefox Extension: NoScript

[shodai]

Firefox: NoScript.
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts do agree: Firefox is really safer with NoScript ;-)

Re:"Clean up"? What do you expect?

[Anne+Thwacks]

Do you expect Mafia bosses to "clean up" the actions of their "affilates?"

Zango are the filthiest scum outside of Al Quieda.

Re:How do you get rid of Zango?

[dotbenjamin]

Spybot: Search & Destroy will handle it. And it's freeware.

Re:What idiot at Apple put that in?

[NMerriam]

That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.

What security hole? Quicktime is a multimedia authoring and playback tool, just like Flash, RealPlayer, WMP, and every other multimedia system. It needs to be able to get media, display it, and allow interactive behavior just like every other multimedia program. You could create the exact same "security hole" using 100% W3C-approved SMIL.

The only security hole is the server allowing unauthorized Javascript to initiate MySpace user actions without any confirmation. Someone clever realized that the Javascript blocks wouldn't recognize JS sent from the plugin -- that doesn't mean the plugin has a security hole, it means the web application itself was vulnerable to a malicious injection of code from perfectly normal and common network behavior. The plugin worked perfectly and didn't do anything sketchy with the OS or network. If allowing code to be sent is a security hole then every browser has a huge security hole called the anchor tag.

Re:What idiot at Apple put that in?

[Kesh]

Quicktime is not a video encoding format, it's a media package. It has been used for interactive behavior, for years. So, I don't see it coming out anytime soon.