MySpace: bulletin and other spam

MySpace spam

MySpace is a vast collection of web real estate begging to be spammed. I keep receiving spam bulletins from some of my MySpace friends, so this is a little explanation of what MySpace spam is and how it can be fixed:

Tricks used by MySpace spammers

Trick #1: hidden bulletin post form
As described by ericis.com, MySpace did not protect the bulletin submission page enough. Bulletins could be sent by an unsuspecting logged-in user through a hidden form, instead of only through the official submission form. So you might click on what seems to be just a link to a site/profile, but you are really sending a bulletin to all your friends. This mail might invite them to click on a link which hides another hidden form and …
STATUS: This vulnerability has been addressed by MySpace, but whether it is completely fixed is another question.

Trick #2: man-in-the-middle password theft

You click on a link, and you are taken to what seems to be the MySpace login page. “That’s weird“, you think, “I thought I was already logged in, but what the heck“, you give your password and you get to the page you wanted to get to. In reality, the login page was not on a myspace.com server, but on a malicious site (they just used the exact same layout) and they now have your password (cf chyna.wordpress.com)! They can now use automated scripts to log in and change your profile, or to send bulletins to all your friends. This password stealing technique is also called ‘phishing’.
That sounds improbable? Well: it costs $15 to send a bulletin to 100k MySpace “Friends”. Where do you think those 100.000 friends come from?
A recent example: Aug 27 2006.
STATUS: the only way to protect against this would be to disable external links. I don’t see that happening, so this is still something to look out for!

Trick #3: Cross-Scripting (XSS) or MySpace worms
As reported by xavsec.blogspot.com, Kuro5hin and namb.la, malicious Flash (SWF) files have been used to infect profiles: you get to a page, the SWF (which might be a visible animation or just hidden) detects that you are logged in on MySpace and uses a non-protected (unsanitized) variable to reset your MySpace name and profile.
The first one of these was the “Samy popularity worm“:

1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it’s exponential, isn’t it. Shit.

STATUS: the known worms are blocked, new ones aren’t.

Trick #4: fake MySpace profile pages
Profile pages that look like a real person (mainly female, young and attractive), but in the ‘Thank you for the add’ comments the links are actually advertising for e.g. webcam sites. You get invited to become their friend and when you check out their profile page, you see the advertising. This could also be combined with any of the 3 above tricks for more damage. (via photomatt.net)
STATUS: if they misbehave too much, their profile might get deleted by MySpace. Otherwise, they’re still around.

The main reason why all this is possible on MySpace and not on most other sites is that

  • MySpace has a “everything is allowed except …” security policy for their content checking, instead of a safer “everything is forbidden unless …” approach.
  • MySpace allows anyone to insert whatever HTML + Javascript into their pages. JS is like a Swiss army knife evil: it can be very useful, but in the wrong hands, the effects can be devastating.

An example: at some point MySpace removed all <script> tags, but there were <div id="mycode" expr="alert('hah!')" style="background:url('java
script:eval(document.all.mycode.expr)')">
tricks invented around that. Which MySpace then fixed. MySpace is continuously playing catch-up with inventive hackers.

I actually have some ideas of the hacks we will see in the future (it’s not that hard to predict), but I don’t want to help anyone that would use them, so I’ll just shut up. What I can say is:

Protect yourself

  1. Do you get complaints from your friends about spam bulletins that were sent in your name? Bad sign!
  2. Check your “Sent” mail. Are there messages there that you did not send? Bad sign!
  3. Do you see friends on your list that you did not add yourself? Bad sign!
  4. Change your password: go to your “Account settings” and click “Change Password” (this reverses the effect of #2)
  5. Clean out your profile: go to your “Edit Profile” page and clean out the “About Me”, “I’d like to meet”, “Interests”, … text boxes. (this reverses the effect of #3)
  6. Don’t click on links in bulletins. Better still, don’t read your bulletins at all.
  7. If you unexpectedly get a MySpace login screen, make sure the URL starts with http://login.myspace.com.
  8. So if you use Myspace, use your head. Don’t download or install software from untrusted sources, even those apparently recommended by your friends (Washington Post)
  9. Onslow (Keeping up Appearances)Only become ‘friends’ with people you know or artists you know. This blonde chick from Houston with 5000 friends is dying to become your buddy? Chances are, “she” might actually look more like Onslow. If that is actually your type, forget I said that.
  10. Go easy on the profile pimping. If you just take whatever HTML you get from some site and paste it in your profile, that’s like taking a drink from a stranger. Next thing you know you’re screwed.

20 thoughts on “MySpace: bulletin and other spam”

  1. Thanks for this guys – I have given the link to this page to about 2 dozen people in the last week!
    Well explained, and the clip is great.

  2. A full syntax would be:
    Author. "Title of Web Page." Title of the Site. Editor. Date published.
    Name of Sponsoring Institution. Date of Access <URL>.

    Which in the case of this one-person blog (with pretty, date-based permalinks that don’t disappear)

    Author. "Title of Web Page." Title of the Site.
    <URL>.

    Example:
    Peter Forret. “Myspace: bulletin and other spam” blog.forret.com.
    <http://blog.forret.com/2006/10/myspace-bulletin-and-other-spam&gt;.

    (via MLA Citation Examples)

  3. Problem to solve (please):

    i copied and pasted some video code from the ‘my interests’ section into the ‘networking’ section, thinking it would simply move the videos to a different place in the profile. However it over-rode all other code, hid the ‘my comments’ section and made the whole page 1 column wide. When i went back to edit this code, it had been formatted into a table and the delete/remove box was not on the table (i guess it has been pushed off the end by the video box width). Does anyone know how i can get my profile back to normal? Or at least how to reset it? please help!

  4. Hey, im wondering if anyone can help me with a nasty myspace virus affecting my page. a friend of mine has left a spam comment on my page but its blocking all my other comments and wont let me delete it. i even tried deleting my friend but the comment is still there. i remember reading a notice on myspace about these but cant find any way of getting rid of it, and having my comments returned to normal. if anyone knows how to fix this i would be incredibly grateful! thanks

  5. To Jenna:

    You need to delete it through safe mode. To do this you will go to “edit profile” and to the far left there should be a link that says “safe mode” click it and then click the tab that says “comments” then you will be able to delete the comment. This spam SUCKS! tell your friend to change their password ASAP or it will just happen over and over.

  6. i keep sending my friends all these spam messages which are driving them crazy and my profile keeps getting changed and my intrests,sports etc keep getting delated!!! i try to change my password but it wont let me. Is there anyway i can get rid of this??

  7. Yeah. The same thing that is happening to Lisa, is happening to me. Except none of my friends can veiw my pictures, it just comes up with, ‘This page cannot be displayed’ everytime.
    It is really starting to piss me off.
    I changed my password and everything but I still can’t veiw my pics.
    I really don’t want to get a new myspace, but I think I might have to if this keeps happening.
    =[
    Please help.

  8. Don’t read your bulletins at all.. that’s like saying don’t use myspace. Bulletins are one of the top 2 or 3 features of myspace. I wouldn’t even bother becoming friends with people if I wasn’t going to read their bulletins. Heh.

  9. thnx soooooo much!!! u helped me understand whats happening to my myspace and it really helped…. i gave all my friends this website on myspace to help the too!!! again, thank u sooooooooo much!!!!
    urs truly,
    Rayna

  10. Yeas this is true aslo in Slovakia many hackers made same Bank website templates same like bank web page layout with logo and put there login to ebanking and people login and after they money dissapiert from account. This is same trick.

  11. Somebody is using my account to send spam comments to people on my list. Also, people are recieving comments from me that are as follows:

    ..

    That’s it. Just two periods. I changed my password and it didn’t work. How can I stop this?

  12. JackyMool .httpaccess is for use by webadmins on their webservers to set access permissions to a folder or file in the folder on their webserver.

    If you are thinking of using it for myspace its useless as you dont have access to the webserver to set it up. Even still it wouldnt help at all. Unless you plan to make your profile pass protected that only your friends would know…

    But again you cant on myspace you only have access to your html, not the files or folders in it.

  13. Thanks so much for this info. I posted it on my space for others to see.

    I noticed the spam popping up when it wasn’t being sent out and notified MySpace about 3 links in particular. They wanted to know the URL’s. When I clicked on the links, it gave me the double login screen and I thought it was strange. My AVG picked up the JS Psyme virus.

  14. I just decided to cancel my account after I fell for that phishing scam. It’s not too hard to start over fresh! I read about the man-in-the-middle scam and was worried about identity theft.

  15. I agree completely, spammers suck. I’m tired of wasting my time deleteing friend requests from supermodels that want to spam me. I’m tired of typing in captcha after captcha. I’m tired of spam.
    Try this one on for size,

    Socialhood Watch

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.