Month: July 2011

Update:  Looks like we’re all clear — malicious links have been removed.

A month ago, we blogged about FakeRean (a very nasty malware/rogue antivirus) being served by PHP spam off of Sourceforge.net. We figured something would happen.

Well, nothing happened.

We’re still seeing hardcore and lolita porn spam on Sourceforge.  It’s all PHP hacks, which points to sloppy moderation and site stewardship; worse, this is not just junk spam like “buy Russian handbags”, but rather, redirects to sites that often serve malware.

Case in point is this spam promising lolita porn. 

In this case, clicking “Yes I am 18+” (which a majority of under 18’s do anyway), you get redirected to one of a variety of porn sites, often serving malware.  (In fact, it doesn’t really matter if you click “No” or “Yes”, you still get redirected.) 

Using basic reputation hijacking, a Google search redirect is used:

hxxp://www.google.com/url?sa=D&q=http://  seoholding.  com/12/commonground&usg=AFQjCNGnwpgXRDmIHULLMas4fJSt0f3FSg

And this all lands one at a variety of sites, of which we show a few (we’ve turned off images in the browswer as it’s all a bit ghastly).

These sites will either push a download of the “movie” or ask to “update your flash player”.  In any event, it’s malware.

Detection rates are fairly poor: Fake MPEG, Fake Flash Player. 

Another reason why doing some basic google searches on your own site can really help clean things up for the Internet at large. 

Alex Eckelberry

You’ll also see this:

Click to Enlarge

“Free Google+ invites instantly”?

Opening the short URL presents you with – oh, I’ll let you take a wild guess:

Click to Enlarge

Yes, it’s survey time. Once you’ve finished winning Starbucks gift cards and have decided who would win in a fight between Ronald McDonald and The King, you’re left with the following download:

“Googleplus2.rar”? Well, that sounds dubious – especially as the uploader is also promoting what appears to be a collection of stolen RuneScape accounts. There seemed to be an issue with the surveys on offer, so we couldn’t download the .rar to see what was inside but we’re guessing either 1) garbage or 2) pilfered accounts from, well, anywhere really.

Elsewhere there are some interesting profiles starting to appear on G+. Here’s one promoting a “free iPhone apps” website:

Click to Enlarge

Visit the link, and you’re presented with numerous programs to download.

Click to Enlarge

As you can see, they have your sword…and your bow…and your Golden Axe.

It’s also listed as “cracked”, and as you well know randomly downloading “cracked” programs can often turn out to be a bad idea. Depending on which download links you use, you may also be presented with requests for payment before downloading.

Click to Enlarge

£10  for premium access through SMS? Not so much “free iPhone apps” as “sort of free iPhone apps if you click the right link, maybe”.

Spammers are already firing fake invite emails around for pharma sites, and you can bet the Youtube scam videos and G+ profiles linking to potentially unsafe downloads will start to increase in frequency as the days roll by.

Let’s hope the scammers don’t pile in wholesale on one of the more entertaining services I’ve seen launched in recent months.

Christopher Boyd

There’s a Spanish language Facebook fakeout knocking around this week, a variation on a tried and tested scam theme (aren’t they all?)

Here’s a “Facebook Dislike Button” site, located at descargarapida(dot)es:

Click to Enlarge

A Justin Bieber themed Dislike scam, no less! Well, we can all get behind that.

Anyway, according to my reasonably decent translation program the text reads:

“New Button: Do not like! Install on your Facebook profile now”

Meme fans will no doubt be giggling away at the “Me Gusta / No Me Gusta” buttons. Everyone else should be making a mental note never to fall for the “Click here to install a no like button” scams, regardless of language or how many pictures of Justin Bieber they splash across the screen. A few days ago it was serving up a “login to see these girls in a pool” page – however, at time of writing the page cannot be reached and loops you back to the Bieber boobery. Thanks to the magic of Google Cache, we can take a look at what was taking place:

Click to Enlarge

If I had to guess at what this one involves when fully working, I’d be tempted to say “pops up a survey”. Who knows, but I’m nominating all of the above for a definite “Not Like”. In fact, you could say….

Christopher Boyd (Thanks to Robert for sending this one over)

Our friends at Sophos has found what we consider as, probably, the first crime ever targeting Google+: fake pharma spam. Due to the high demand of G+ invites being thrown at Google, to the point that the company actually had to cease the invitation process for the beta release of their fledgling social networking site, it is no surprise that spammers have latched onto this one as their latest target (and growing favourite?) to date.

Better than having malware there, if you ask me.

That, of course, does not change the fact that receiving supposed G+ invitations leading to fake pharma site is annoying.

“The spammers are no doubt hoping that the email will be too hard to resist for many people eager to see Google’s new social network, although just how many users will be tempted to buy drugs online is a mystery.” concludes Sophos regarding this report.

Indeed.

Screenshot of the G+ spam from Sophos

Personally, I am a bit jolted by the fact that spammers didn’t take long before they push a campaign to take advantage of Internet users badly wanting to be put in circles. It’s the current “it” thing, after all. Not to mention the current perfect target of any threat attack, and spamming was the first. I can only guess what could come next after that.

It’s a jungle out there, folks. As always, please stay safe. 🙂

Jovi Umawing