MySpace Phishing Attack Leads Users to Zango Adware

An anonymous reader writes "Security site Spywareguide.com reports that a new worm is doing the rounds on MySpace. Taking advantage of the HREF feature in Quicktime movies, a fake login bar is displayed on infected users profiles via some JavaScript coding. If you login (via one of the many hacked servers hosting the JavaScript and movie file) you'll find you start spamming messages containing a pornographic movie. That movie leads to a site that's pushing Zango Adware left, right and center. Is this more evidence that Zango has yet to clean up their affiliate networks?"

How do you get rid of Zango?

I switched to FireFox, but it would be nice to be able to use Internet Explorer without Zango. I've tried several times to get rid of it with Ad-Aware. Anybody know how an easy way to get rid of it?

Re:How do you get rid of Zango?

Spybot: Search & Destroy [safer-networking.org] will handle it. And it's freeware.

Sigh

I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?

Re:Sigh

Well, at least it'll get fixed now...

It won't get fixed because it's not a bug. Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone.

Phishers just concentrate on the easiest method available. You take it away: they find another method. They don't need scripting at all.

[Slightly OT] Phishing -- a partial solution

1. Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.com /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys?
2. A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.

So given that Grandma is going to use the same password everywhere, and isn't going to be very alert to phishing, how do you still make it safe for her to use the internet? (Or, if you don't care about Grandma: How can you get away with remembering only one password and be reasonably safe against phishing?)

There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash [stanford.edu], developed by Dan Boneh [stanford.edu] and others at Stanford. It's available as a Firefox extension [mozilla.org]. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not [hashapass.com], new [sysprosoft.com], but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper [stanford.edu] (or see the Powerpoint presentation [stanford.edu] if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross [wikipedia.org].)

Some more info and removal instructions

Lolo [myspace.com] has written a pretty good MySpace blog entry [myspace.com] about this, along with some removal instructions (in the comments and in my post also). One of this guy's hobbies is exposing MySpace scammers. He actually predicted about a week ago that an exploit like this would happen. Friend him if you have a MySpace. I can't tell who came up with this information first, Lolo or these guys but Lolo may have gotten there first. Either way you need to read his blog posts if you use MySpace...

Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

Here's how to remove it:

Use the FIND command or CTRL F to find the word LOGIN.

It starts with this line of code ... I have stripped out the first "

style type="text/css"
div table td font { display: none }
div div table tr td a.navbar, div div table tr td font { display: none }
.testnav { position:absolute; top: 136px; left:50%; _top: 146px

The code was at the very end/bottom of my ABOUT ME section.

It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!

To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.

Re:Some more info and removal instructions

I'd recommend using the Stop Autoplay [mozilla.org] extension for Firefox. It works just like Flashblock, but for movies and sounds. And it blocks background sounds and music as well.

systems prone to this?

Pardon my ignorance, but is this is a problem for Windows users only? Or Mac too? Linux? Or is javascript the problem (making any system vulnerable)?

It's hard to control affiliates.

Listen, in any affiliate program policing affiliates can be impossible. I think Zango's a disreputable and disgusting company, but that doesn't mean they're guilty in this case. Blame the affiliates.

What idiot at Apple put that in?

What idiot at Apple put a giant hole like this in?
An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.

Re:What idiot at Apple put that in?

That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.

What security hole? Quicktime is a multimedia authoring and playback tool, just like Flash, RealPlayer, WMP, and every other multimedia system. It needs to be able to get media, display it, and allow interactive behavior just like every other multimedia program. You could create the exact same "security hole" using 100% W3C-approved SMIL.

The only security hole is the server allowing unauthorized Javascript to initiate MySpace user actions without any confirmation. Someone clever realized that the Javascript blocks wouldn't recognize JS sent from the plugin -- that doesn't mean the plugin has a security hole, it means the web application itself was vulnerable to a malicious injection of code from perfectly normal and common network behavior. The plugin worked perfectly and didn't do anything sketchy with the OS or network. If allowing code to be sent is a security hole then every browser has a huge security hole called the anchor tag.

Quicktime is the problem?

Sounds like MySpace is the problem here.

To summarize, I think that the situation goes like this: A user places a movie file on their page manually to start with. People visiting that page view the movie which loads a link containing javascript. The javascript modified that MySpace user's profile to include the movie somehow.

Why do you even need a movie for this to happen? Why can javascript just change an entire MySpace page around? It sounds like the entire problem here is that MySpace users get too much customization abilities over their pages. A simple onload="infectuser()" javascript line would seem to me like it could accomplish the same worm effect.

Firefox Extension: NoScript

Firefox: NoScript [mozilla.org].
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts do agree: Firefox is really safer with NoScript ;-)

Scammers/spammers

So Zango is one problem, and not to digress, but when will MySpace do something about the scum that is True? Something tells me True must be paying them quite a hefty sum every month for the kind of placement they have on that site because MySpace sure as hell isn't doing it for the pristidigous brand name of True. Google it and look at the kind of results that pop up. They have many investigations going on against them right now and I'd say they're just as fraudulent as Zango.

Dudes! SSL?

And this makes me ponder why the fsck MySpace doesn't use SSL for their logins. Not that it necessarily helps against phishing if a convincing page is presented, but at least Firefox would politely make the address bar yellow and display the lock icon plus "login.myspace.com" (or whatever it is) in the status bar on the bottom-right corner of the browser.

Joe Job?

Just to be sure, has anyone checked to see if this is a joe-job? Shady competition in a shady area?

Maybe this is the way nature/evolution handles things when laws don't work? Hey, I'm just asking.... :-)

single-purpose browsers for secure access

A partial solution is actually pretty simple.

It's a bit of a headache to work out the logistics, but the banks simply should not allow logging in with a general purpose browser. All sorts of things can be done with a special purpose browser, from preventing any transmission from proceeding when either side provides the correct encrypted response, to using one-time pads, ...

And then I remember that, if there is spyware on the box, it's kind of hard to be sure that the one-time pad list, the encrypted response generator, and all the other fancy gadgets, are not being commanded by the adware instead of directly by the human.

But general purpose browsers (including the QuickTime browser) have just gotten too stuffed with functions.

Affiliates Using Unethical Means to Increase Busin

Hi, I'm new to this forum. I do have an online site where I publish affiliate sites. Is there an online website that posts all of the affiliates that may be using unethical means to increase their business on the various publisher's websites? I'm attempting to keep my family oriented site "clean" of any spyware, etc. Check it out at http://continue.to/lasvegas [continue.to] Please let me know if there is a site that tracks unethical affiliates. Thank you. Ed Denaut, Owner of Denaut International ejdenaut@yahoo.com

Re:"Clean up"? What do you expect?

Do you expect Mafia bosses to "clean up" the actions of their "affilates?"

Zango are the filthiest scum outside of Al Quieda.

SECOND RULE OF ___

YOU DO NOT TALK ABOUT ___!

Re:Wine just for porn anyone?

Too easy.

a: of, relating to, or involving the hands (manual dexterity) b: worked or done by hand and not by machine (a manual transmission) (manual computation) (manual indexing)