Network News

X My Profile
View More Activity

Nastygram: MySpace phish plants spy software


A new spam campaign targeting users once again illustrates the blended threat from junk e-mail attacks, experts warn. This latest run tries to lure recipients into giving up their MySpace credentials, and then attempts to trick victims into installing password-stealing malicious software.

Attackers began blasting out the junk e-mails early Monday, according to researchers at the University of Alabama, Birmingham, Researchers at the school so far have tracked more than 30 Web site names associated with this attack, each beginning with "" and ending in a United Kingdom country code domain (.uk).

The campaign is nearly identical to one launched late last month targeting users, said Gary Warner, director of research in computer forensics at UAB Birmingham: Recipients are directed to a fake page and asked for their login credentials. That attack cycled through at least 242 different look-alike Facebook scam sites before the last was shut down about five days later.

It's not clear whether the attackers really care about the login information, as the bogus sites will authenticate a user regardless of the supplied user name and password. Rather, the attackers appear to be requesting that information in a bid to make their scam sites appear more legitimate, Warner said. Their goal? Convince the user to install a "Myspace Update Tool," which instead is a copy of Zeus, a nasty piece of spyware that lets attackers steal online banking user names and passwords.


"This tactic we think is designed to foster the perception that the visitor is on a real MySpace site," Warner said.

Warner said the attackers in this latest assault appear to have learned from the Facebook attack, in which bogus Facebook pages also served up the Zeus payload. In contrast, the Zeus malware used in this MySpace phish is not hosted directly on any of the phishing sites, but instead at another location. Separating the phishing sites and the malware may help the bad guys keep both components of this scam online longer, Warner said.

"Many countries don't care if you send spam, but those same countries often will nuke a site if they can confirm reports that it's serving up malware," Warner said. "In this case, the phishing sites are likely to live longer because of the fact that there's no longer malware on them."

By Brian Krebs  |  November 9, 2009; 12:21 PM ET
Categories:  Latest Warnings , Nastygram , Safety Tips  | Tags: nastygram, zbot, zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: First iPhone worm targets modified handsets
Next: Apple ships 50+ security updates


My understanding from about two months ago is that AV software was having trouble identifying Zeus. And if the AV software doesn't identify something as malware then it can't protect you from it.

Does anyone know the degree to which this might have changed? Is AV software getting better at finding and removing Zeus?

Posted by: jackrussell252521 | November 9, 2009 1:26 PM | Report abuse

we recently launched our website: as a free and open-access location on the internet where users can publish email addresses of scam artists. users can also search through our growing database.

both searches and submissions are free, anonymous and do not require registration or subscription. we also offer a share your story page so you can take an active role in educating the Internet Community on how to avoid being scammed.

Posted by: aesculus | November 10, 2009 7:11 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company