Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Worms Security The Internet

MySpace Phishing Attack Leads Users to Zango Adware 95

An anonymous reader writes "Security site Spywareguide.com reports that a new worm is doing the rounds on MySpace. Taking advantage of the HREF feature in Quicktime movies, a fake login bar is displayed on infected users profiles via some JavaScript coding. If you login (via one of the many hacked servers hosting the JavaScript and movie file) you'll find you start spamming messages containing a pornographic movie. That movie leads to a site that's pushing Zango Adware left, right and center. Is this more evidence that Zango has yet to clean up their affiliate networks?"
This discussion has been archived. No new comments can be posted.

MySpace Phishing Attack Leads Users to Zango Adware

Comments Filter:
  • I switched to FireFox, but it would be nice to be able to use Internet Explorer without Zango. I've tried several times to get rid of it with Ad-Aware. Anybody know how an easy way to get rid of it?
  • Sigh (Score:5, Insightful)

    by 0123456 ( 636235 ) on Saturday December 02, 2006 @12:22PM (#17081284)
    I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?
    • This is the kind of 'feature' I'd expect from a format like WMV, not Quicktime. One would hope that Apple would at least be competent enough to consider the security implications of a feature like that before adding it. Well, at least it'll get fixed now...
      • Re:Sigh (Score:4, Insightful)

        by suv4x4 ( 956391 ) on Saturday December 02, 2006 @12:40PM (#17081428)
        Well, at least it'll get fixed now...

        It won't get fixed because it's not a bug. Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone.

        Phishers just concentrate on the easiest method available. You take it away: they find another method. They don't need scripting at all.
          1. Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.com /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys?
          2. A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.
          So given that Grandma is going to use the same password everywhere, and isn't going to be very alert to phishing, how do you still make it safe for her to use the internet? (Or, if you don't care about Grandma: How can you get away with remembering only one password and be reasonably safe against phishing?)

          There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash [stanford.edu], developed by Dan Boneh [stanford.edu] and others at Stanford. It's available as a Firefox extension [mozilla.org]. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not [hashapass.com], new [sysprosoft.com], but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
          The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper [stanford.edu] (or see the Powerpoint presentation [stanford.edu] if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross [wikipedia.org].)
          • But you have to have the extension installed to access your accounts. To me, that's a significant disadvantage and makes the solution essentially worthless.
            • Re: (Score:3, Informative)

              by shreevatsa ( 845645 )
              No. If you are in a place where you can't use the extension (cybercafe, someone else's computer, etc.), you can go to http://www.pwdhash.com/ [pwdhash.com] and generate it there. You can also get it as a bookmarklet instead of an extension, BTW.
              • Re: (Score:2, Interesting)

                by ArizonaJer ( 585786 )
                One concern I'd have is: What if the PwdHash project dies and their site goes offline permanently? And let's presume that the extension is also no longer available, or just that you're using a computer without it. As I understand it, the user would then have no way of generating or even knowing what his/her passwords are.

                In this situation, you'd have to reset all your passwords, but even that would be tricky because many sites demand your old password before you set a new one.

                I suppose one could use t

                • Re: (Score:2, Informative)

                  by shreevatsa ( 845645 )
                  The implementation is available [stanford.edu], and you can generate the hashed passwords yourself, even offline. Save the implementation and put it somewhere you're sure won't go down.
                  I doubt the project will die, though.
          • The discussion is deliberately nontechnical, but I did a comparison of password generator utilities [berylliumsphere.com] last year and pwdhash came out on top.
        • Re: (Score:3, Interesting)

          There are two reliable methods by whch all spamming, phishing, etc could be stopped for good:

          (1) Use of cruise missiles against the perpetrators

          (2)the same what that on-line gambling was stopped - action against the credit card companies.

          All this stuff is for monitary reward - read "credit card transactions". No Credit card involvement means no problem.

          And dont come with that "its the foreigners doing it" Who ever is doing it, its Americans paying, with American credit cards and banks. None of the stu

        • Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone else.

          There, I fixed it for you.

    • by suv4x4 ( 956391 )
      I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?

      Apple.

      You can do that from Flash as well.
    • by MrCoke ( 445461 )
      Nobody is demanding from those users to click the movie, the email-address containing the phishing address or opening a funny picture from an email.

      They want it. They don't care about the consequenses. Not because they like to wreck the internet, just because they don't know any better.
      • by 0123456 ( 636235 )
        "Nobody is demanding from those users to click the movie, the email-address containing the phishing address or opening a funny picture from an email."

        Right. Blame the users rather than the programmers or designers who put such a retarded security hole into a movie file format... anything that lets files access the web without user intervention is inevitably going to be exploited.
      • Funny. Last time I checked ignorance isn't an excuse when you break the law unknowingly. Why should it be in this case?

        PCs are like cars. They require maintenance. If you don't want to take the responsibility of keeping your machine up to date and clean of viruses then don't bother getting a PC. I think this is what geeks/nerds get for trying to make PCs mainstream. Now we have to deal with the garbage and clean up others' messes. I guess they get their's when they see the bill we give them ;)

        On the f
    • by Inda ( 580031 )
      What is this "My Space" that everyone keeps talking about? It sounds gorgeously fun.
    • by Firehed ( 942385 )
      While I wholeheartedly agree, it is VERY useful for video podcasts. No mucking about with timeshifting to try getting a URL they're mentioning, just click on the link in the subtitle.
  • by wpmegee ( 325603 ) <wpmegee@yaTIGERhoo.com minus cat> on Saturday December 02, 2006 @12:37PM (#17081400)
    Lolo [myspace.com] has written a pretty good MySpace blog entry [myspace.com] about this, along with some removal instructions (in the comments and in my post also). One of this guy's hobbies is exposing MySpace scammers. He actually predicted about a week ago that an exploit like this would happen. Friend him if you have a MySpace. I can't tell who came up with this information first, Lolo or these guys but Lolo may have gotten there first. Either way you need to read his blog posts if you use MySpace...

    Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

    Here's how to remove it:


    Use the FIND command or CTRL F to find the word LOGIN.

    It starts with this line of code ... I have stripped out the first "
    style type="text/css"
    div table td font { display: none }
    div div table tr td a.navbar, div div table tr td font { display: none }
    .testnav { position:absolute; top: 136px; left:50%; _top: 146px
    The code was at the very end/bottom of my ABOUT ME section.

    It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!


    To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.
  • by Anonymous Coward
    Pardon my ignorance, but is this is a problem for Windows users only? Or Mac too? Linux? Or is javascript the problem (making any system vulnerable)?
    • It sounds to me like any OS that supports the QuickTime Plugin that allows JavaScript to be run in a movie would be affected.
      • Re: (Score:2, Insightful)

        by Neil Hodges ( 960909 )

        There's no way that's true; the Zango adware itself is written for Windows and thus would never be installed on other operating systems. The ads themselves, however, would still come.

  • Listen, in any affiliate program policing affiliates can be impossible. I think Zango's a disreputable and disgusting company, but that doesn't mean they're guilty in this case. Blame the affiliates.
  • What idiot at Apple put a giant hole like this in?
    An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

    That's got to come out of Quicktime players. They're a huge security hole now. That's just unaccepta

    • by NMerriam ( 15122 ) <NMerriam@artboy.org> on Saturday December 02, 2006 @03:50PM (#17083084) Homepage
      That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.


      What security hole? Quicktime is a multimedia authoring and playback tool, just like Flash, RealPlayer, WMP, and every other multimedia system. It needs to be able to get media, display it, and allow interactive behavior just like every other multimedia program. You could create the exact same "security hole" using 100% W3C-approved SMIL.

      The only security hole is the server allowing unauthorized Javascript to initiate MySpace user actions without any confirmation. Someone clever realized that the Javascript blocks wouldn't recognize JS sent from the plugin -- that doesn't mean the plugin has a security hole, it means the web application itself was vulnerable to a malicious injection of code from perfectly normal and common network behavior. The plugin worked perfectly and didn't do anything sketchy with the OS or network. If allowing code to be sent is a security hole then every browser has a huge security hole called the anchor tag.
      • by Mr2001 ( 90979 )
        No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.
        • by Kesh ( 65890 )
          Quicktime is not a video encoding format, it's a media package. It has been used for interactive behavior, for years. So, I don't see it coming out anytime soon.
        • by NMerriam ( 15122 )

          No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.

          Hi, 1991 is calling. Quicktime was created from the very beginning, and has always been, a complete interactive multimedia development and presentation system. Most of the multimedia CD-ROMs produced in the 90s were just giant Quicktime applications. In fact, it can play most Flash files, so trying to make a distinction between Quicktime and Flash features is most

          • by Mr2001 ( 90979 )
            Thanks for your response, 1991. I appreciate the information, but you can have your "interactive multimedia development and presentation system" back. Here in the future, when we want an interactive presentation, we use Flash or Java as noted earlier. It's crazy, I know, but QuickTime didn't really take over the world like one might have expected.

            Also, sell your Pan Am stock and put the money on Australia to win the Rugby World Cup, and Arkansas governor Bill Clinton to win the presidential election next ye
            • by NMerriam ( 15122 )

              Here in the future, when we want an interactive presentation, we use Flash or Java as noted earlier.

              The Flash plugin has all the same "security vulnerabilities" of using Javascript as Quicktime does. Java can send JS, too! There is nothing even remotely unique or special about a plugin that supports Javascript. If you're on a mission to eradicate JS from the Internet, have fun raging against the machine. Changing Quicktime because you are as ignorant about the Internet as the average MySpace user is not a

            • ...but if you've got Windows Media Player, I can embed a script in Microsoft's .asx format and have WMP serve up whatever sort of mischief I can code up, cleverly hidden in an audio or video media file. Supposedly Microsoft has been paying attention to the issue, but just between you and me I wouldn't have your bank's login page open in IE while playing any unfamiliar .asx or .asf files:

              http://support.microsoft.com/kb/828026 [microsoft.com]

              * * * * * *

              Adobe Illustrator is a programmer's idea of how a graphic artist

              • by Mr2001 ( 90979 )
                Indeed. More stuff we don't really need. Why the hell should an audio or video stream be able to execute scripts?
        • by Lars T. ( 470328 )

          No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.
          Another fool who never understood what Quicktime is. For the n-th time: Quicktime is not a movie player.
          • by Mr2001 ( 90979 )
            Well, it sure seems to be necessary for playing certain types of movie files. Perhaps our friends at Apple should separate the movie playing part out, so those of us who don't care about playing interactive QuickTime files can avoid security holes like this one.
            • Re: (Score:1, Flamebait)

              by Lars T. ( 470328 )

              Well, it sure seems to be necessary for playing certain types of movie files. Perhaps our friends at Apple should separate the movie playing part out, so those of us who don't care about playing interactive QuickTime files can avoid security holes like this one.
              Why exactly should Apple do that? Any decent programmer could write one themself. But obviously there aren't any in the Windows camp.
              • by Mr2001 ( 90979 )
                Why exactly should Apple do that?

                So people could play movie files that are stored in Apple's format without exposing themselves to security risks such as this one, thereby allowing .MOV to hold on to some shred of relevance on platforms other than OS X.

                Any decent programmer could write one themself. But obviously there aren't any in the Windows camp.

                Oh, now I get it. You're one of those.
                • by Lars T. ( 470328 )
                  One of those? Ohh, you mean not one of those Windows Weenies who can't program?
                  • by Mr2001 ( 90979 )
                    I mean one of those pompous idiots who thinks no one in the Windows world can program, and that writing your own video plugin just to avoid the security risks of Apple's player is a sign of machismo, rather than masochism.
                    • by Lars T. ( 470328 )

                      I mean one of those pompous idiots who thinks no one in the Windows world can program,
                      Ohh, absolutely not - too bad that those who can programm only bother with malware.
                    • by Mr2001 ( 90979 )
                      Wow. Please, keep posting, your ignorance is hilarious.
                    • by Lars T. ( 470328 )
                      That's funny coming from somebody who doesn't know what Quicktime is.
  • by Ark42 ( 522144 ) <slashdot@morpheu s s o f t w a r e . net> on Saturday December 02, 2006 @12:59PM (#17081576) Homepage

    Sounds like MySpace is the problem here.

    To summarize, I think that the situation goes like this: A user places a movie file on their page manually to start with. People visiting that page view the movie which loads a link containing javascript. The javascript modified that MySpace user's profile to include the movie somehow.

    Why do you even need a movie for this to happen? Why can javascript just change an entire MySpace page around? It sounds like the entire problem here is that MySpace users get too much customization abilities over their pages. A simple onload="infectuser()" javascript line would seem to me like it could accomplish the same worm effect.
    • Mod parent up: MySpace is the problem. They are not vetting any user submissions, and that, to me, seems like a real problem. Even email lists let moderators vet submitters content. Its something that is not new to the web, and therefore, MySpace should already have been vetting submissions.

      Yeah, its a tough job, but it needs to be done. Maybe they can work out a deal with one of the antivirus companies?
    • Re: (Score:3, Informative)

      This is indeed a MySpace problem. Using simple Javascript it could simulate user actions and is thus vulnarable.
      The problem with the web is always a two-folded, rich content and possibilities but still secure..

      One more thing you could do with Javascript is having a simple PHP script that writes this to your database:
      'clipboardData.getData("Text");'

      This does exacly what you think it does, fetch your clipboard data (might contain personal stuff!!). Lot of people copy-paste things like passwords and
    • Is not the ability to customize, but the lack of confirmation, or a captcha. Because If you allowed to run movies trough flash,... that mean you allowed to run javascript. Running javascript as yourself mean other people can make ajax call, or whatever, to mimick yourself. Having captchas will stop that thing. But will make editing that profiles slighty slow, of course.
    • Re: (Score:2, Informative)

      by scsscs ( 669925 )
      Because MySpace doesn't allow javascript. Using the movie gets around the filters.
    • by Kuvter ( 882697 )
      Myspace doesn't allow user to use JavaScript. When you put JavaScript in your code on your profile it just changes it into "..." and doesn't work. That's why something like this work around came around to get JavaScript to run. Myspace did a reasonable amount to avoid this by blocking JavaScript, which made hackers get even sneakier. Hence the cycle begins again.
    • QuickTime is likely the cause in this particular case, but this is just one vector.

      Javascript XSS holes are a big potential problem and may be sometimes overlooked in development. It helps to understand how browsers parse HTML and inline event handlers such as onclick, onload, onerror etc. in HTML elements as mentioned, and to know some of the non-standard uses of javascript: protocol URLs and so on.

      As for protection, a lot of it comes down to how the developers sanitize or filter user-generated/editable

  • by shodai ( 970706 ) on Saturday December 02, 2006 @01:51PM (#17082004)
    Firefox: NoScript [mozilla.org].
    Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts do agree: Firefox is really safer with NoScript ;-)
  • So Zango is one problem, and not to digress, but when will MySpace do something about the scum that is True? Something tells me True must be paying them quite a hefty sum every month for the kind of placement they have on that site because MySpace sure as hell isn't doing it for the pristidigous brand name of True. Google it and look at the kind of results that pop up. They have many investigations going on against them right now and I'd say they're just as fraudulent as Zango.

  • And this makes me ponder why the fsck MySpace doesn't use SSL for their logins. Not that it necessarily helps against phishing if a convincing page is presented, but at least Firefox would politely make the address bar yellow and display the lock icon plus "login.myspace.com" (or whatever it is) in the status bar on the bottom-right corner of the browser.
    • by triso ( 67491 )
      What is the worst that could happen if I lost control of my MySpace account?
      • also say your looking for a job, like a college kid or what not, some employers check popular social networking sites for photos and such to determine the character of a person even though it may not be legal to do so. But say some user hacks your myspace and uses it to spam lots of porno ads and bam your turned down for an interview.
  • Just to be sure, has anyone checked to see if this is a joe-job? Shady competition in a shady area?

    Maybe this is the way nature/evolution handles things when laws don't work? Hey, I'm just asking.... :-)
  • A partial solution is actually pretty simple.

    It's a bit of a headache to work out the logistics, but the banks simply should not allow logging in with a general purpose browser. All sorts of things can be done with a special purpose browser, from preventing any transmission from proceeding when either side provides the correct encrypted response, to using one-time pads, ...

    And then I remember that, if there is spyware on the box, it's kind of hard to be sure that the one-time pad list, the encrypted respons
  • Hi, I'm new to this forum. I do have an online site where I publish affiliate sites. Is there an online website that posts all of the affiliates that may be using unethical means to increase their business on the various publisher's websites? I'm attempting to keep my family oriented site "clean" of any spyware, etc. Check it out at http://continue.to/lasvegas [continue.to] Please let me know if there is a site that tracks unethical affiliates. Thank you. Ed Denaut, Owner of Denaut International ejdena

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...