MySpace Phishing Attack Leads Users to Zango Adware

An anonymous reader writes "Security site Spywareguide.com reports that a new worm is doing the rounds on MySpace. Taking advantage of the HREF feature in Quicktime movies, a fake login bar is displayed on infected users profiles via some JavaScript coding. If you login (via one of the many hacked servers hosting the JavaScript and movie file) you'll find you start spamming messages containing a pornographic movie. That movie leads to a site that's pushing Zango Adware left, right and center. Is this more evidence that Zango has yet to clean up their affiliate networks?"

How do you get rid of Zango?

[slim-t]

I switched to FireFox, but it would be nice to be able to use Internet Explorer without Zango. I've tried several times to get rid of it with Ad-Aware. Anybody know how an easy way to get rid of it?

Re:

[Anonymous Coward]

Um... Add or Remove Programs?

Re:How do you get rid of Zango?

[dotbenjamin]

Spybot: Search & Destroy [safer-networking.org] will handle it. And it's freeware.

Sigh

[0123456]

I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?

Re:

[JanusFury]

This is the kind of 'feature' I'd expect from a format like WMV, not Quicktime. One would hope that Apple would at least be competent enough to consider the security implications of a feature like that before adding it. Well, at least it'll get fixed now...

Re:Sigh

[suv4x4]

Well, at least it'll get fixed now...

It won't get fixed because it's not a bug. Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone.

Phishers just concentrate on the easiest method available. You take it away: they find another method. They don't need scripting at all.

[Slightly OT] Phishing -- a partial solution

[shreevatsa]

1. Phishing attacks are becoming more common, and obviously, it is necessary for all users to be more cautious about exactly where they are entering their passwords -- this means being very alert to the contents of the URL bar (so as to not be deceived by things like "http://www.google.com.blahblah.phisher.tripod.com /google..."), and also not being misled by javascript window-within-window things that make something else look like the URL bar, etc. All this probably requires a greater level of attention than is within the capabilities of, say, old people (or even those teenagers on MySpace). So how do you make sure you don't give away your password to the wrong guys?
2. A common phishing-like attack is to somehow hack into some low-security site and get some username-password pairs, then try them at other sites. As you might guess, this trick is quite effective, because most people use the same password everywhere. Remembering hundreds of different hard-to-guess strings is somewhat hard, after all.

So given that Grandma is going to use the same password everywhere, and isn't going to be very alert to phishing, how do you still make it safe for her to use the internet? (Or, if you don't care about Grandma: How can you get away with remembering only one password and be reasonably safe against phishing?)

There is a solution that's simple, effective, and comes at no cost -- no changes to the "user experience". It's PwdHash [stanford.edu], developed by Dan Boneh [stanford.edu] and others at Stanford. It's available as a Firefox extension [mozilla.org]. Basically, to use it, you just pick for each site (while registering or changing the password) a password and prefix it with "@@". It could even be the same password for all sites. PwdHash will transparently convert the password you typed into a one-way hash based on the site's domain, so that the password with which you are registered on the site is actually something other than what you typed -- but you don't need to know what it is, because the next time you visit the site, you again type your password (begining with "@@"), and PwdHash will send the site your correct password (does the same thing again). So if a phisher (who is by definition on some other domain) tries to steal your password, he actually gets a different one from what the correct site would get. (Oh, and PwdHash warns you if you type "@@" into something that is not a password field.) Everything else works the same -- all you have to do is to consistently type "@@" before your password each time (or hit F2, alternatively). The idea of domain-based generators is not [hashapass.com], new [sysprosoft.com], but the beauty of this one is that it fits perfectly into one's existing workflow. A long as you ask Grandma to pick a password that "begins with" @@, you can be sure no phishing website will get her password. (Of course, it is still susceptible to email scams and malware programs, but at least safety while browsing is taken care of.)
The researchers demonstrate it as a solution to phishing, but I use it simply because remembering too many passwords is a pain. And it's by some of the top Crypto researchers, so you can be quite sure it doesn't have any stupid vulnerabilities. Read the paper [stanford.edu] (or see the Powerpoint presentation [stanford.edu] if you'd prefer it) for a more in-depth consideration of other issues. (Interestingly, one of the co-authors is Stanford student and Firefox guy Blake Ross [wikipedia.org].)

Re:

[dotbenjamin]

But you have to have the extension installed to access your accounts. To me, that's a significant disadvantage and makes the solution essentially worthless.

Re:

[shreevatsa]

No. If you are in a place where you can't use the extension (cybercafe, someone else's computer, etc.), you can go to http://www.pwdhash.com/ [pwdhash.com] and generate it there. You can also get it as a bookmarklet instead of an extension, BTW.

Re:

[ArizonaJer]

One concern I'd have is: What if the PwdHash project dies and their site goes offline permanently? And let's presume that the extension is also no longer available, or just that you're using a computer without it. As I understand it, the user would then have no way of generating or even knowing what his/her passwords are.

In this situation, you'd have to reset all your passwords, but even that would be tricky because many sites demand your old password before you set a new one.

I suppose one could use t

Re:

[shreevatsa]

The implementation is available [stanford.edu], and you can generate the hashed passwords yourself, even offline. Save the implementation and put it somewhere you're sure won't go down.
I doubt the project will die, though.

pwdhash compared to alternatives

[Beryllium Sphere(tm)]

The discussion is deliberately nontechnical, but I did a comparison of password generator utilities [berylliumsphere.com] last year and pwdhash came out on top.

Re:

[shreevatsa]

1. If it's generating a password based on soley on the site information(domain name, etc?) and the user supplied '@@' password then nothing will prevent phishers from using PwdHash to figure out what someone's real password is.

The hash is a one-way function.

2. You can only use this where you have the extension installed.

No. See posts above.

people will probably revert to using simple alphabetic passwords like "football" or "racecar" instead of more complicated ones

I think you can get people to remember one strong password.

people will probably start using the same password for every site

This is already true. That is exactly the problem. This extension only adds security to such people.

The best method would be to have long randomly generated passwords, different for each site, stored in an encrypted format accessible by using a password(a la gnupg). You still have to carry this chunk of data around with you.

Try getting Grandma to do this. And what happens when she loses that chunk of data? It's harder to lose a single password.

Sometimes these university guys come up with some dumb shit.

They have stated their goals clearly, and come up what is currently the best solution that fits those needs.

Anti-phishing is primarily a problem of protecting idiots. It's

Re:

[Anne Thwacks]

There are two reliable methods by whch all spamming, phishing, etc could be stopped for good:

(1) Use of cruise missiles against the perpetrators

(2)the same what that on-line gambling was stopped - action against the credit card companies.

All this stuff is for monitary reward - read "credit card transactions". No Credit card involvement means no problem.

And dont come with that "its the foreigners doing it" Who ever is doing it, its Americans paying, with American credit cards and banks. None of the stu

Re:

[ColdWetDog]

Face the reality: the only way to "fix" phishing attacks is by taking away the computers of everyone else.

There, I fixed it for you.

Re:

[suv4x4]

I remember the days when a movie file was... a movie file. What kind of idiot lets people access the web or, worse, run Javascript, from a bloody movie?

Apple.

You can do that from Flash as well.

Re:

[MrCoke]

Nobody is demanding from those users to click the movie, the email-address containing the phishing address or opening a funny picture from an email.

They want it. They don't care about the consequenses. Not because they like to wreck the internet, just because they don't know any better.

Re:

[0123456]

"Nobody is demanding from those users to click the movie, the email-address containing the phishing address or opening a funny picture from an email."

Right. Blame the users rather than the programmers or designers who put such a retarded security hole into a movie file format... anything that lets files access the web without user intervention is inevitably going to be exploited.

Re:

[Net_fiend]

Funny. Last time I checked ignorance isn't an excuse when you break the law unknowingly. Why should it be in this case?

PCs are like cars. They require maintenance. If you don't want to take the responsibility of keeping your machine up to date and clean of viruses then don't bother getting a PC. I think this is what geeks/nerds get for trying to make PCs mainstream. Now we have to deal with the garbage and clean up others' messes. I guess they get their's when they see the bill we give them ;)

On the f

Re:

[Inda]

What is this "My Space" that everyone keeps talking about? It sounds gorgeously fun.

Re:

[Firehed]

While I wholeheartedly agree, it is VERY useful for video podcasts. No mucking about with timeshifting to try getting a URL they're mentioning, just click on the link in the subtitle.

Some more info and removal instructions

[wpmegee]

Lolo [myspace.com] has written a pretty good MySpace blog entry [myspace.com] about this, along with some removal instructions (in the comments and in my post also). One of this guy's hobbies is exposing MySpace scammers. He actually predicted about a week ago that an exploit like this would happen. Friend him if you have a MySpace. I can't tell who came up with this information first, Lolo or these guys but Lolo may have gotten there first. Either way you need to read his blog posts if you use MySpace...

Please note that you can be infected by this virus by simply viewing an infected profile. It doesn't matter what browser you use, I was using Firefox 2.0 with AdBlockPlus and a decent filterset updater and was infected. I DO NOT believe it steals your password without going to the fake login page. So if your profile gets infected you are probably fine simply removing it

Here's how to remove it:

Use the FIND command or CTRL F to find the word LOGIN.

It starts with this line of code ... I have stripped out the first "

style type="text/css"
div table td font { display: none }
div div table tr td a.navbar, div div table tr td font { display: none }
.testnav { position:absolute; top: 136px; left:50%; _top: 146px

The code was at the very end/bottom of my ABOUT ME section.

It then continues with an obvious line of code for the menu choices. I stripped out the code and the page is fine ... FOR NOW!

To truly protect yourself you need to adblock the offending Quicktime object - or better yet all .mov files.

Re:Some more info and removal instructions

[zlogic]

I'd recommend using the Stop Autoplay [mozilla.org] extension for Firefox. It works just like Flashblock, but for movies and sounds. And it blocks background sounds and music as well.

Re:

[Tesla Tank]

For Opera users, here [userjs.org] is a userjs that does something very similar. If you're so inclined, you can also manually change what it blocks in the javascript itself.

systems prone to this?

[Anonymous Coward]

Pardon my ignorance, but is this is a problem for Windows users only? Or Mac too? Linux? Or is javascript the problem (making any system vulnerable)?

Re:

[iknowcss]

It sounds to me like any OS that supports the QuickTime Plugin that allows JavaScript to be run in a movie would be affected.

Re:

[Neil Hodges]

There's no way that's true; the Zango adware itself is written for Windows and thus would never be installed on other operating systems. The ads themselves, however, would still come.

It's hard to control affiliates.

[metalhed77]

Listen, in any affiliate program policing affiliates can be impossible. I think Zango's a disreputable and disgusting company, but that doesn't mean they're guilty in this case. Blame the affiliates.

What idiot at Apple put that in?

[Animats]

What idiot at Apple put a giant hole like this in?
An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

That's got to come out of Quicktime players. They're a huge security hole now. That's just unaccepta

Re:What idiot at Apple put that in?

[NMerriam]

That's got to come out of Quicktime players. They're a huge security hole now. That's just unacceptable.

What security hole? Quicktime is a multimedia authoring and playback tool, just like Flash, RealPlayer, WMP, and every other multimedia system. It needs to be able to get media, display it, and allow interactive behavior just like every other multimedia program. You could create the exact same "security hole" using 100% W3C-approved SMIL.

The only security hole is the server allowing unauthorized Javascript to initiate MySpace user actions without any confirmation. Someone clever realized that the Javascript blocks wouldn't recognize JS sent from the plugin -- that doesn't mean the plugin has a security hole, it means the web application itself was vulnerable to a malicious injection of code from perfectly normal and common network behavior. The plugin worked perfectly and didn't do anything sketchy with the OS or network. If allowing code to be sent is a security hole then every browser has a huge security hole called the anchor tag.

Re:

[Mr2001]

No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.

Re:

[Kesh]

Quicktime is not a video encoding format, it's a media package. It has been used for interactive behavior, for years. So, I don't see it coming out anytime soon.

Re:

[NMerriam]

No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.

Hi, 1991 is calling. Quicktime was created from the very beginning, and has always been, a complete interactive multimedia development and presentation system. Most of the multimedia CD-ROMs produced in the 90s were just giant Quicktime applications. In fact, it can play most Flash files, so trying to make a distinction between Quicktime and Flash features is most

Re:

[Mr2001]

Thanks for your response, 1991. I appreciate the information, but you can have your "interactive multimedia development and presentation system" back. Here in the future, when we want an interactive presentation, we use Flash or Java as noted earlier. It's crazy, I know, but QuickTime didn't really take over the world like one might have expected.

Also, sell your Pan Am stock and put the money on Australia to win the Rugby World Cup, and Arkansas governor Bill Clinton to win the presidential election next ye

Re:

[NMerriam]

Here in the future, when we want an interactive presentation, we use Flash or Java as noted earlier.

The Flash plugin has all the same "security vulnerabilities" of using Javascript as Quicktime does. Java can send JS, too! There is nothing even remotely unique or special about a plugin that supports Javascript. If you're on a mission to eradicate JS from the Internet, have fun raging against the machine. Changing Quicktime because you are as ignorant about the Internet as the average MySpace user is not a

Got some bad news for you...

[hullabalucination]

...but if you've got Windows Media Player, I can embed a script in Microsoft's .asx format and have WMP serve up whatever sort of mischief I can code up, cleverly hidden in an audio or video media file. Supposedly Microsoft has been paying attention to the issue, but just between you and me I wouldn't have your bank's login page open in IE while playing any unfamiliar .asx or .asf files:

http://support.microsoft.com/kb/828026 [microsoft.com]

* * * * * *

Adobe Illustrator is a programmer's idea of how a graphic artist

Re:

[Mr2001]

Indeed. More stuff we don't really need. Why the hell should an audio or video stream be able to execute scripts?

Re:

[Lars T.]

No, QuickTime doesn't need to "allow interactive behavior". It just needs to play video. If I want interactive behavior, I'll use Flash or Java.

Another fool who never understood what Quicktime is. For the n-th time: Quicktime is not a movie player.

Re:

[Mr2001]

Well, it sure seems to be necessary for playing certain types of movie files. Perhaps our friends at Apple should separate the movie playing part out, so those of us who don't care about playing interactive QuickTime files can avoid security holes like this one.

Re:

[Lars T.]

Well, it sure seems to be necessary for playing certain types of movie files. Perhaps our friends at Apple should separate the movie playing part out, so those of us who don't care about playing interactive QuickTime files can avoid security holes like this one.

Why exactly should Apple do that? Any decent programmer could write one themself. But obviously there aren't any in the Windows camp.

Re:

[Mr2001]

Why exactly should Apple do that?

So people could play movie files that are stored in Apple's format without exposing themselves to security risks such as this one, thereby allowing .MOV to hold on to some shred of relevance on platforms other than OS X.

Any decent programmer could write one themself. But obviously there aren't any in the Windows camp.

Oh, now I get it. You're one of those.

Re:

[Lars T.]

One of those? Ohh, you mean not one of those Windows Weenies who can't program?

Re:

[Mr2001]

I mean one of those pompous idiots who thinks no one in the Windows world can program, and that writing your own video plugin just to avoid the security risks of Apple's player is a sign of machismo, rather than masochism.

Re:

[Lars T.]

I mean one of those pompous idiots who thinks no one in the Windows world can program,

Ohh, absolutely not - too bad that those who can programm only bother with malware.

Re:

[Mr2001]

Wow. Please, keep posting, your ignorance is hilarious.

Re:

[Lars T.]

That's funny coming from somebody who doesn't know what Quicktime is.

Quicktime is the problem?

[Ark42]

Sounds like MySpace is the problem here.

To summarize, I think that the situation goes like this: A user places a movie file on their page manually to start with. People visiting that page view the movie which loads a link containing javascript. The javascript modified that MySpace user's profile to include the movie somehow.

Why do you even need a movie for this to happen? Why can javascript just change an entire MySpace page around? It sounds like the entire problem here is that MySpace users get too much customization abilities over their pages. A simple onload="infectuser()" javascript line would seem to me like it could accomplish the same worm effect.

Re:

[zappepcs]

Mod parent up: MySpace is the problem. They are not vetting any user submissions, and that, to me, seems like a real problem. Even email lists let moderators vet submitters content. Its something that is not new to the web, and therefore, MySpace should already have been vetting submissions.

Yeah, its a tough job, but it needs to be done. Maybe they can work out a deal with one of the antivirus companies?

Re:

[Roy van Rijn]

This is indeed a MySpace problem. Using simple Javascript it could simulate user actions and is thus vulnarable.
The problem with the web is always a two-folded, rich content and possibilities but still secure..

One more thing you could do with Javascript is having a simple PHP script that writes this to your database:
'clipboardData.getData("Text");'

This does exacly what you think it does, fetch your clipboard data (might contain personal stuff!!). Lot of people copy-paste things like passwords and

If you allowd JS, you need to add catphas.

[Tei]

Is not the ability to customize, but the lack of confirmation, or a captcha. Because If you allowed to run movies trough flash,... that mean you allowed to run javascript. Running javascript as yourself mean other people can make ajax call, or whatever, to mimick yourself. Having captchas will stop that thing. But will make editing that profiles slighty slow, of course.

Re:

[scsscs]

Because MySpace doesn't allow javascript. Using the movie gets around the filters.

Re:

[Ark42]

It's still a MySpace problem then.
They allow Quicktime movies and this is a feature of Quicktime movies.
Can't ASF/WMV files and Flash both do the same types of things anyway?

Re:

[hullabalucination]

Well, you can use a Microsoft tool to do dangerous stuff in .asf/.wmv files:

http://www.plattsburgh.edu/technology/it/help/stre amingmedia/advancedscriptindexer.php [plattsburgh.edu]

Re:

[Kuvter]

Myspace doesn't allow user to use JavaScript. When you put JavaScript in your code on your profile it just changes it into "..." and doesn't work. That's why something like this work around came around to get JavaScript to run. Myspace did a reasonable amount to avoid this by blocking JavaScript, which made hackers get even sneakier. Hence the cycle begins again.

Re:

[scottschiller]

QuickTime is likely the cause in this particular case, but this is just one vector.

Javascript XSS holes are a big potential problem and may be sometimes overlooked in development. It helps to understand how browsers parse HTML and inline event handlers such as onclick, onload, onerror etc. in HTML elements as mentioned, and to know some of the non-standard uses of javascript: protocol URLs and so on.

As for protection, a lot of it comes down to how the developers sanitize or filter user-generated/editable

Re:

[Anne Thwacks]

Do you expect Mafia bosses to "clean up" the actions of their "affilates?"

Zango are the filthiest scum outside of Al Quieda.

Firefox Extension: NoScript

[shodai]

Firefox: NoScript [mozilla.org].
Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts do agree: Firefox is really safer with NoScript ;-)

SECOND RULE OF ___

[WilliamSChips]

YOU DO NOT TALK ABOUT ___!

Re:

[poopdeville]

Too easy.

a: of, relating to, or involving the hands (manual dexterity) b: worked or done by hand and not by machine (a manual transmission) (manual computation) (manual indexing)

Scammers/spammers

[Lord_Dweomer]

So Zango is one problem, and not to digress, but when will MySpace do something about the scum that is True? Something tells me True must be paying them quite a hefty sum every month for the kind of placement they have on that site because MySpace sure as hell isn't doing it for the pristidigous brand name of True. Google it and look at the kind of results that pop up. They have many investigations going on against them right now and I'd say they're just as fraudulent as Zango.

Dudes! SSL?

[Mike Hicks]

And this makes me ponder why the fsck MySpace doesn't use SSL for their logins. Not that it necessarily helps against phishing if a convincing page is presented, but at least Firefox would politely make the address bar yellow and display the lock icon plus "login.myspace.com" (or whatever it is) in the status bar on the bottom-right corner of the browser.

Re:

[triso]

What is the worst that could happen if I lost control of my MySpace account?

Re:

[colemanguy]

also say your looking for a job, like a college kid or what not, some employers check popular social networking sites for photos and such to determine the character of a person even though it may not be legal to do so. But say some user hacks your myspace and uses it to spam lots of porno ads and bam your turned down for an interview.

Joe Job?

[f00Dave]

Just to be sure, has anyone checked to see if this is a joe-job? Shady competition in a shady area?

Maybe this is the way nature/evolution handles things when laws don't work? Hey, I'm just asking.... :-)

single-purpose browsers for secure access

[Joseph_Daniel_Zukige]

A partial solution is actually pretty simple.

It's a bit of a headache to work out the logistics, but the banks simply should not allow logging in with a general purpose browser. All sorts of things can be done with a special purpose browser, from preventing any transmission from proceeding when either side provides the correct encrypted response, to using one-time pads, ...

And then I remember that, if there is spyware on the box, it's kind of hard to be sure that the one-time pad list, the encrypted respons

Affiliates Using Unethical Means to Increase Busin

[Ed Denaut]

Hi, I'm new to this forum. I do have an online site where I publish affiliate sites. Is there an online website that posts all of the affiliates that may be using unethical means to increase their business on the various publisher's websites? I'm attempting to keep my family oriented site "clean" of any spyware, etc. Check it out at http://continue.to/lasvegas [continue.to] Please let me know if there is a site that tracks unethical affiliates. Thank you. Ed Denaut, Owner of Denaut International ejdena