Note to blog followers

I noticed some people are following this blog – thanks for that!

Please note that I will continue blogging at janne.is. I will keep this blog as a back-up.

Latest post about the diet spam campaign can be found from here: http://janne.is/2013/07/finding-spammers/

Additional posts can be found from my Twitter feed.

Tagged ,

Blog switch

I finally managed to find a suitable home for my own blog: janne.is 

1984 Hosting (company in Iceland) looked promising considering my budget so I decided to give a try.

For some reason, I also wanted to try a hosting company outside USA…

Tagged

100 hacked websites

Below you can find a list of 100 websites that are currently used in the diet spam campaign affecting both Twitter and Pinterest – possibly used to spread spam on other services as well.

I decided to publish this list for two reasons: a) to warn users about spam links b) to notify the affected websites about possible hack. Even if the spam campaign would stop, the affected sites should be notified. I hope that some (security) companies can help with these tasks.

Like mentioned in my previous post, majority of the affected sites are powered by WordPress. These websites are most likely hacked and might not be malicious at all. But because hackers have managed to install a redirect script to these sites, they might have also installed backdoors and other malicious files.

This list is not complete. I collected the links from Twitter using one search keyword covering past 24 hours. I have tested only some 15 links. Do not test these links – they are listed here only as a warning.

  1. abcommunication.info/xs8cs.php
  2. abrigosalas.com.br/6ng7a.php
  3. acaiforcemaxx.com/rvjar.php
  4. adid.ma/index.php
  5. adventq.com/dzmrh.php
  6. afrigeneas.com/oib.php
  7. alessandromorrone.com/2f5uw.php
  8. allspeed.com/adbk1.php
  9. alluwant4.com/sfr7q.php
  10. annuaire4web.com/yuvdh.php
  11. antiacneblog.com/probins/wp-content/plugins/wptweetbomb/bnabm.php
  12. artefactdesign.com/wordpress/d9sr1.php
  13. artitudinale.org.uk/meq8.php
  14. assayyarrat.com/tr8e.php
  15. balicruise.net/gghro.php
  16. baliseawalker.com/c1g09.php
  17. baliwatersport.com/3ojnp.php
  18. barefootstudio.co.uk/ol9we.php
  19. barsoftball.com/hlf4w.php
  20. bibliofreakblog.com/70nup.php
  21. bisiadewale.com/wqi0.php
  22. blog.ejocuri-noi.ro/1j0j9.php
  23. blog.idglabs.com/syxhl.php
  24. caricaturaschanantes.com/qwlal.php
  25. circleofhealers.com/4m5e2.php
  26. clangeaps3.goodluckwith.us/yp8an.php
  27. clansicarios.com/b3jr.php
  28. combinationladders.org/xnxsh.php
  29. congress.medilldc.net/t830g.php
  30. couple-webcam.com/wp-content/themes/couplank/hh3r.php
  31. deepsouthrugbyconference.com/7nf9w.php
  32. deportivosuchi.com/gt/m87oh.php
  33. designvirtue.com/s7e20.php
  34. deutschland-wasserball.de/3gpvc.php
  35. dev.gvllnyc.com/9pqf.php
  36. digisoft.nl/vijverbergers/z2kks.php
  37. egosteam.amwhosted.com/srhdm.php
  38. ericabodinepottery.com/7l2bv.php
  39. fleetwoodmac.org/7pft.php
  40. florida-cracker.org/noo.php
  41. forexlinecall.com/9g7hu.php
  42. gettingold.org/uja5v.php
  43. gwfinancialassistance.com/keist.php
  44. hitasoft.com/bow64.php
  45. ianharbaugh.com/z51w.php
  46. instantcontentgenerator.net/x0i5q.php
  47. janak-mehta.com/27d6t.php
  48. jayjaygee.ja.funpic.de/fmf81.php
  49. kapikua.com.sv/blog/wp-content/plugins/z8it5.php
  50. karya.biz/xv13l.php
  51. kristianlanear.com/j2tr5.php
  52. lovolguatemala.com/ypntb.php
  53. maxworkpublishing.com/blog/wp-content/themes/maxwork/rr4t1.php
  54. meublewong.com/oeq1c.php
  55. michaeledwardbrowning.com/g2mm3.php
  56. mwrnewcumberland.com/i9y6t.php
  57. nameconnect.com/semk9.php
  58. narcicyst.derivedthread.com/nvjru.php
  59. nexgen-capital.com/wosz5.php
  60. normandyhotelparis.com/w7neg.php
  61. obligationagent.com/9zkxe.php
  62. overunderstl.com/lock-of-the-day/wp-content/plugins/akismet/jj1zm.php
  63. pace-associates.info/3jac6.php
  64. philross.com/e3nz.php
  65. picconsultingng.com/q0nt2.php
  66. pier40champions.org/1f52v.php
  67. postcardformula.net/booster1/wp-content/plugins/zus59.php
  68. prestigemm.com/jpdga.php
  69. prestigeplus.rs/xtcdo.php
  70. primsydoodledesigns.net/8pk4l.php
  71. pro.meconzee.com/drgad.php
  72. prsfit.com/bqx8.php
  73. psblog.org/ev8wh.php
  74. qandadev.org/k5c2.php
  75. r-e-e-l.com/ztfu.php
  76. redhotbits.com/rr7dl.php
  77. rssnews.com.au/blog/wp-content/themes/serious-ric-10/f8edx.php
  78. salonwest54hundred.com/mrjx1.php
  79. shetlandpeople.com/h2o9q.php
  80. shvaas.org/4xm7v.php
  81. skyballleague.com/WordPress/wp-content/plugins/akismet/9640u.php
  82. sms.mojgrad.org/jj55c.php
  83. stamfan.com/ip5mx.php
  84. suttoncoldfieldconservativeclub.com/124e3.php
  85. tacticalgearmanufacturer.com/brlue.php
  86. tamingthemarkets.com/wp-content/plugins/aoi6t.php
  87. thebibleforthenewage.com/vfekg.php
  88. thoreast.com/gqhqc.php
  89. todaysoutdoors.com/s2xxr.php
  90. tolucabaseball.com/96pf6.php
  91. tugbucket.net/qbgb.php
  92. tuning-accessori.com/mh5kl.php
  93. vascellofantasma.com/3lc3u.php
  94. video-documentaire.com/l4lzi.php
  95. web764.linda.webhoster.ag/4k7kd.php
  96. westminstercommunityofshalom.com/55jox.php
  97. whitehavenkiwanis.org/qthtw.php
  98. wp3theme.wpfeed.com/wp-content/plugins/zz53f.php
  99. yourrnc.com/wp-content/themes/yourrnc/o1wer.php
  100. zoraplus.com/yfqyx.php

About Pinterest diet spam

If you are not familiar with the Twitter diet spam campaign, please read my earlier blog post first. Same campaign is ongoing also on Pinterest.  Most likely other social media sites are targeted as well. Just recently similar campaign was spotted on Instagram.

In this post I will explain how to search for “spam pins” on Pinterest by using a domain name. You can first locate compromised web-sites from Twitter by searching e.g. “dr oz helped me lose” – see the screen-shot below:

twitter search dr ozLets pick a domain from the first link: “ianharbaugh.com”. if you visit the site, you will notice it is powered by WordPress like many compromised sites. I believe hackers have scanned a big amount of WordPress-powered sites against known vulnerabilities. By using suitable tools, it is relatively easy to install a backdoor – or like in this case, a malicious redirect script – to the website. The websites may have nothing to do with the spam campaign and are most likely victims like many users.

Back to Pinterest: there is one easy way to search for possible spam pins by using a domain name e.g. http://pinterest.com/source/ianharbaugh.com/ - screen-shot is below:

pinterest source searchNaturally any pin could be real and non-malicious, originating from a normal website making further checks more difficult, but in this case all pins are spam. Screen-shot of the first pin (posted about four weeks ago):

pin-spam-example-editedIf you click on the image or website button, you will be redirected to a diet spam site – so don’t.

Spreading

Spreading spam pins happens easily via “repin” and “like” functions – similar to retweet and favorite on Twitter. After searching for spam pins for about two hours, I think it is safe to say that this spam campaign has been successful also on Pinterest. I have also found many new hacked (WordPress powered) websites.

As noted earlier, many normal Twitter accounts have been compromised for this campaign. It seems same applies to Pinterest. Naturally there are some obvious spam bots involved.

Currently it is not clear how the accounts have been hacked.

Instructions to Pinterest users

If you believe your account has been compromised, change your passwords immediately. Not just on Pinterest: change e-mail, Facebook, Tumblr, Twitter, Instagram etc. passwords. Do not use same password on all services. See also Pinterest Help Center instructions.

Notifying the affected websites

I have sent email two three hacked websites. No responses so far, one email bounced and nothing has been fixed. Some other approach is needed: emailing all admins would take too much time. Website admins might need some instructions, too. Perhaps it is easier to remove all files and re-install WordPress as opposed to deleting malicious files and upgrading all software? I hope some area experts will provide advice on this.

Updates

6:15 PM, GMT+2, new spam pins spotted: http://pinterest.com/source/barefootstudio.co.uk/

Tagged , , ,

How diet spammers hijacked Twitter accounts

One domain used in the Twitter diet spam campaign turned out to be interesting. Below you can see some tweets pointing to womenshealth.com-c.pw

womenshealth-com-pw-may13I used Google search cache:womenshealth.com-c.pw and the result was quite interesting. Page redirected to http://twitter.com-c.pw/ (currently the account is suspended) – a phishing site that may have been used to compromise user accounts.

twitter-com-c-pw-cache

Further reading: Gone Phishing (Twitter blog post from 2009) and related Twitter Help Center article. Phishing is not the only way to hijack accounts, but it can be very effective.

I also found one possible Facebook phishing site: fb-hn.es.vu.  Links to this and similar sites are being spread out on Twitter.

possible-fb-phishing

Did you visit a possible phishing site and got hacked? You can post a comment (anonymously) and tell your story. I believe it is important to share information about these phishing sites and possible other tricks used to hack your account.

Tagged , ,

About the Twitter diet spam

Quite many Twitter users have recently seen messages similar to this:

I lost my 15 pounds and my belly fat using free garcinia: http://womenshealth.com-ar1(.)info :)

This  diet spam campaign has been running for quite some time. If you are not familiar with the topic, please read this article  by Softpedia. Read also: Another day, another round of diet spam on Twitter by Graham Cluley.

This blog post contains some additional information.

Here is a list of domain names and links spammers have been using – note that the list is most likely not complete.

30-Jun update: it seems diet spammers are now also using hacked web-sites making it more difficult to spot and block the domains. Many hacked web-sites are using an old version WordPress. Most likely hackers have installed the malicious redirect-script by using a known vulnerability. List of spotted links can be found below (bold).

  • com-15.us, com-11.us, com-10.us, com-17.us, com-16.us, com-14.us
  • org-17.us, org-18.us, org-10.us, org-13.us, org-14.us
  • net-10.us, net-11.us, net-12.us, net-13.us, net-16.us, net-15.us
  • com-expo.in
  • com-mgc1.pw
  • com-wen.pw
  • com-ar1.info
  • com-ar2.info (28-Jun – including cnbc.com-ar2.info which is not diet related)
  • com-garcinia-diet.net
  • com-article-diet.net
  • com-articles-diet.net
  • com-gc.net
  • com-lifestyle-article.net
  • com-sat.pw
  • com-may.us, com-april.us, com-june.us
  • tumblrhealth.me
  • com-news-garcinia.net
  • com-c.pw (womenshealth.com-c.pw – reported as a web forgery)
  • com-0624.net (weightloss.com-0624.net)
  • com-06-24-12.net (loseweight.com-06-24-12.net)
  • net-2.us, net-18.us (28-Jun)
  • com-lot.pw (28-Jun)
  • com-indexrx.us (29-Jun)
  • com-mo.com (29-Jun – links appear to be broken)
  • toysoncam.com/pbdv.php (30-Jun – most likely a hacked site)
  • nameconnect.com/semk9.php (-,,-)
  • ericabodinepottery.com/7l2bv.php (-,,-)
  • tacticalgearmanufacturer.com/brlue.php (-,,-)
  • thoreast.com/gqhqc.php (-,,-)
  • tugbucket.net/qbgb.php (-,,-)
  • suttoncoldfieldconservativeclub.com/124e3.php (-,,-)
  • baliseawalker.com/c1g09.php (-,,-)
  • balirc.com/3d0f.php (-,,-)
  • bibliofreakblog.com/70nup.php (-,,-)
  • baliwatersport.com/3ojnp.php (-,,-)
  • obligationagent.com/9zkxe.php (-,,-)
  • primsydoodledesigns.net/8pk4l.php (-,,-)
  • annuaire4web.com/yuvdh.php (-,,-)
  • tolucabaseball.com/96pf6.php (-,,-)
  • barsoftball.com/hlf4w.php (-,,-)
  • mygoalfriend.com/v45z.php (-,,-)
  • stamfan.com/ip5mx.php (-,,-)
  • prestigeplus.rs/xtcdo.php (-,,-)
  • shetlandpeople.com/h2o9q.php (-,,-)
  • nexgen-capital.com/wosz5.php (-,,-)
  • psblog.org/ev8wh.php (-,,-)
  • radiointel.net/iav16.php (-,,-)
  • wp3theme.wpfeed.com/wp-content/plugins/zz53f.php (-,,-)
  • digisoft.nl/vijverbergers/z2kks.php (-,,-)

Spammers use sub-domains in order to fool users e.g. womenshealth (womenshealth.com-ar1.info), healthywomen (healthywomen.com-garcinia-diet.net), dieting.com-articles.net, loseweight.com-news-garcinia.net etc. Please note that womenshealth.com and healthywomen.com do not have anything to do with these spam domains. It is relatively easy to spot the spam if you pay attention to the full domain name.

(WOT) Web of Trust maintains a list of spam domain names. @JoshMeister has published a list of domains and links in his blog.

Other tricks

Spammers have also used other tricks such as open redirect vulnerabilities and Google search. More information in E hacking news. At least one open redirect vulnerability has not been fixed yet: wzus1.ask.com. In these cases the domain (e.g. http://ask.com/) is most likely not malicious. Spammers simply misuse a known vulnerability to get users to visit spam sites without realizing it – before it is too late. Example post:

open redirect Twitter spam example

The spam tweets or DMs may come from your followers, unknown persons or even from people you know. There are many “spam bot accounts” involved. But the most worrying part in this campaign is the hijacked user accounts. It is not clear how the accounts were compromised.

Twitter instructions for reporting spam: https://support.twitter.com/articles/64986-how-to-report-spam-on-twitter. Reporting account for spam could be difficult in case the tweet originates from a known person or a friend. It might be also ineffective: the account will not be suspended automatically.

On 26th of June CEO of Twitter, Mr. Dick Costolo (@dickc), reacted to user complaints on Twitter: “we are on it”. I have not yet seen any other public reactions or instructions from Twitter.

Similar spam campaigns

Facebook, Tumblr and Pinterest are also affected

Twitter is not alone with this problem. I have read about similar problems affecting Tumblr, Facebook and Pinterest. E.g. http://pinterest.com/kylef1337/wedding-photography/ – contains “wedding photography” with links to scam pages such as www(.)msnbc.msn.com-april.us (main domain name: com-april.us). This one: http://pinterest.com/source/sms.mojgrad.org/ uses another domain: sms.mojgrad.org which redirects users to http://www.womenshealthmag.com-may.us.

Here is an example spam post from Facebook:

diet spam - Facebook Example

Basic instructions

Affected users should change their passwords – yes, all of them – immediately. If that doesn’t stop the spamming, there could be some malicious 3rd party Twitter application involved. You can find instructions on how to revoke access or remove an application from here.

If your account was hacked and tweeted diet spam, it would be interesting to hear about your experiences.

Tagged , ,

Missing Twitter User

I try to follow the hacking scene also on Twitter. Example sources: Cyber War News (or CWN), E Hacking News and The Hacker News. Recently I noticed a Twitter user called @1923Turkz posting information about fake hacks. After my feedback, this user (and some others) got upset and posted some angry feedback and DMs.

But suddenly @1923Turkz was gone or to be more precise, apparently changed the Twitter screen name to “@IBH_CREW”:

@1923Turkz  – from Turkey according to the profile – was now suddenly pointing to completely different account. According to the profile, @IBH_CREW was from Iran, with zero tweets but over 23K of followers.  The account favorites-list suggested that only the account name was changed.

IBH_CREW profileNo magic tricks or l33t Twitter hacks – just a simple screen name change. But this morning IBH_CREW was gone and I could not find any tweets or users that would resemble the original @1923Turkz. Google search to the rescue! Search site:twitter.com @1923turkz – on page 2 I found a working link:

google-twitter-site-searchBut when I followed the link, there was yet another screen name: @TheEvil3st (from Russia…):

theevil3st-tweetNote that the URL still had the original screen name “1923Turkz”.

Luckily there is an easier way to keep track of Twitter accounts: the user ID. A quick look at the API revealed that it is possible to get both the user ID and the screen name using the “status” number (293156809957572610 in this case). Twitter API tells us that the tweet was posted by user nr #1043660580, currently using screen name @PakCyberEaglez (likely to change).

There is also an API for checking the User ID from screen name which in this case confirms that the ID is the same.

it seems Twitter mobile is updated a bit slower so I was able to pull out the tweet with current user information:

twitter-1923turkz-single-tweetUpdate 3

CWN has done some further investigations. The current screen name of @1923turkz is @kwgdeface, pretending to be a hacker group from Kosovo who also commented the issue:

The related Cyber War New posts are now tagged as “Fakers”.

According to other sources, one earlier name of this account was @officialHmei7:

Update 4 : yet another screen name change, now it is @ReZK2LL 

Update 5 : now the user ID resolves to @ChinaBlueArmy

Lesson learned? If you want to hide your Twitter account for some reason like identity crisis, it is better to delete the current account and create a new one. Screen name can be changed, but that has no affect on the user ID. Also, Twitter API is a nice tool.

The thing about lying is, it is quite exhausting – you have to remember a lot. – Rupert Everett

Tagged ,

Yet another blog switch

With the help of my supporters, I was able to setup a new blog: janne.is

I will update this blog if/when needed, but please check janne.is for new entries.

Tagged

Penske Media Cross-site Scripting

Update 05-Jan-2013:

All reported issues has been fixed. Packet Storm entry has been updated: http://packetstormsecurity.com/files/118249/Penske-Media-Corporation-Cross-Site-Scripting.html

_____________________

 

Original situation:

Multiple Penske Media Corporation (http://www.pmc.com) web-sites are vulnerable to reflected Cross-site Scripting attacks. Vulnerable sites 20-Nov-2012:

Variety.com, La411.com, NewYork411.com and Deadline.com

_____________________

Update 27-Nov-2012:

Senior Director of Engineering at PMC contacted me shortly after this post. Security issues are being addressed in effective manner.

- Deadline.com  – Issue has been fixed during Thanksgiving holiday

According to PMC, rest of the vulnerabilities should be fixed in the near future.

_____________________

Packet storm advisory: http://packetstormsecurity.org/files/118249/Penske-Media-Corporation-Cross-Site-Scripting.html

I reported the findings initially to various contacts at Variety on 16-Oct-2012. All reporting attempts apparently failed, because there has been no response.

Users should be careful and avoid clicking on the links that are pointing to XSS vulnerable domains.

Example screen-shots:

Deadline.com XSS

Variety.com XSS

Tagged ,

When vulnerability disclosure fails

Many security researchers try their best to disclose vulnerabilities in professional and responsible manner. When the receiving party does not respond or does not implement fixes – or in the worst case responds, but does not implement fixes, researchers do not have good options.

Full-disclosure is one option. I will try to limit full-disclosure realizing it cannot be fully avoided. This post covers some of the recent failures regarding reflected Cross-site Scripting (XSS) vulnerabilities.

It is just Cross-site Scripting – why should I care?

Here is one good article on How To Exploit an XSS (Detectify blog 7-Nov-2012). Session hi-jacking, all kinds of phishing or spreading malware are just some examples. Attacks do happen. In majority of the cases site users are the victims – attacks are not targeted directly against vulnerable sites. Attacker spreads innocent looking, but malicious links in social media, blogs, e-mails and discussion forums hoping someone will fall into the trap. Someone usually does.

Below is a screen-shot of a Proof-of-Concept XSS phishing attack against a real, vulnerable WordPress powered blog. That case is covered on my other blog.

Note that all HTML content comes from an external script. URL is long enough to hide the XSS payload possibly also from web-server logs.

I still don’t care, your silly PoC shows a blog post!

A blog can be actually a very attractive XSS target depending on various things like popularity and domain name (==trust), but how about a company like Air France?

Notice the login form in the middle? That is a fake, a Proof-of-Concept


This case falls into the category: “communication succeeded, fixes did not”. First communication attempts were made on August. CERT-IST helped me to find a contact point within few days. Almost three months have passed and this issue has not been fixed. It was supposed to be fixed during September. Alexa traffic rank of the vulnerable site in France is 264.

SouthWest Airlines had a similar issue, which was fixed after my blog post. I have not received a single response. I tried to contact SouthWest multiple times between August-October using e-mail, online forms and Twitter.

Other recent examples

Rollingstone.com XSS

Usmagazine.com XSS

Technorati.com XSS

Often there is no time to create a Proof-of-Concept, just some basic test cases and screen-shots. Perhaps that is not enough for some recipients.

Enough whining already: what can we do?

Responsible vulnerability disclosure should be a short, but a clear dialogue. Domain owners, web-masters and coders – please consider opening a channel for security researchers. E-mail is preferred. Open security@yourdomain, security-alert@yourdomain, secure@yourdomain or similar email address and monitor it. This is fairly easy and cheap solution. The normal contact addresses like info@yourdomain often do not work with vulnerability reports. Contact forms are bad for reporting security vulnerabilities.

There are plenty of good examples such as eBay, Microsoft, PayPal, Google and Facebook just to name a few.

A word of caution to all users: Be careful when clicking links pointing to XSS vulnerable web-sites. Some of them might be malicious.

Tagged , ,
Follow

Get every new post delivered to your Inbox.