Defeating MSPLinks on MySpace

myspace_msplinksThe following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because MSPLinks.com trusts post requests from MySpace.com.

A working example can be found at: http://www.myspace.com/socnetsec

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="POST">
<input type="submit" name="coolbutton" value="SETTING DISCHECK" />
<input type="hidden" name="discheck" value="on" />
</form>
<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="GET">
<input type="submit" name="coolbutton" value="NO DISCHECK" />
</form>

What’s the point?  Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed.  Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method.  Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things.  Especially if they are already masked like they are via MSPLinks.  MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

New Research Released on Koobface

Today Trend Micro released probably the most comprehensive research yet on the Koobface social network worm.  This research details how Koobface works, the malicious payloads it carries and how this worm has spread to all the major social networks.  The most recent victim being Twitter.   Most alarming is that Koobface will still continue to evolve and is the beginning of a new generation of malware targeting social networks.

Check out the article and download the PDF for the full report.  We will also have this link posted in the “Research” section of the site.

Understanding Koobface and other "Drive-By Download" type threats

Koobface is a classic “Drive-by Download” type of threat, which can be a difficult thing for anti-virus programs to deal with. The catch is that you’re being fooled into giving a program explicit permission to run. Should an anti-virus program second-guess that decision? Good question.
Read More »

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

If you’d like to know what a Honey Stick is, and why it’s important to understand what they are telling us, click HERE.

Scott Wright
The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

Site Meter

Malware on Twitter

Well, it seems like it didn’t take that long for the malware authors to notice the opportunity in abusing Twitter as a malware distribution platform.
According to Kaspersky Labs:
“…This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular…”

Unfortunately, the auto-follow-me vulnerability is still exploitable for Internet Explorer users. I’m still withholding the technical details of this vulnerability in a hope that it won’t be exploited in the wild, more than it was probably already did.