New Bredolab variant targets MySpace users with MySpace Password Reset email

January 8, 2010 Leave a Comment

MX Lab detected a new virus campaign containing a new Bredolab variant. The campaign has the same characteristics as the Facebook Password Reset email campaign. The trojan listens to the name Win32:Bredolab-BL (Avast) or W32/Bredolab!Generic2 (F-Prot).

The email is send from the spoofed address <confirmation@myspace.com> and has the subjects:

MySpace Password Reset Confirmation!
MySpace Password Reset Confirmation! Order NR.4648.

The number at the end of the subject is choosen randomly and can change in case the subject contains an Order NR.

Body of the email:

Hey a ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

The attached document is named MySpace_document_10081.zip and contains the 36 kB big MySpace_document_10081.exe executable.

Virus Total permlink and MD5: cfd05a493ccab7d5928ba9bf7dec3d16.

Filed under Viruses Tagged with , , , , ,

MySpace subject to phishing campaign

November 10, 2009 1 Comment

Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <message-*********@message.myspace.com> – where * stands for random letter and number combination. The from address is obviously spoofed.

The body of the email:

Dear MySpace user!

Please be informed that you are required to update your MySpace account.

Please update your MySpace account by clicking here:

hxxp://accounts.myspace.com.iuuuujef.co.uk/msp/index.php?fuseaction=update&code=5A3TCE-JA3T2OSOJ1-AT2LKB0WNLB0-SMSWSGFPGEL97-0JHN4840QT&email=****@*******.co.uk

If you’re unable to click on the link above, copy and paste it into your browser’s address bar.

————————-

At MySpace we care about your privacy. This email is never sent unsolicited.

If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:

privacy@myspace.com

MySpace, Inc.
8391 Beverly Blvd. #349
Los Angeles, CA 90048
USA

©2003-2009 MySpace.com. All Rights Reserved.

The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:

Domain name:

         iuuuujef.co.uk

     Registrant:
         Joe Tentpeg

     Registrant type:
         Non-UK Individual

     Registrant's address:
         5556 Butt hole Court
         Bum diddle
         66545
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 09-Nov-2009
         Renewal date:  09-Nov-2011
         Last updated:  10-Nov-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 11:19:48 10-Nov-2009

When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.

Filed under Phishing Tagged with ,

MySpace wins $230 million anti-spam judgment

May 14, 2008 Leave a Comment

Sanford Wallace and his partner Walter Rines face a $230 million anti-spam judgment. The duo were found responsible for sending out phishing scams designed to harvest MySpace login credentials, prior to bombarding members with messages punting gambling and smut websites. As many as 730.000 spam messages, directing to gambling and smut websites, were sent to MySpace members since late 2006.

Filed under Various Tagged with , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 108 other followers