Home > Funny, Random, Rant, Security > MSN Spamharvesting – A Caution…

MSN Spamharvesting – A Caution…

Let me set the scene, I was randomly on MSN when a friend of mine sent me a message saying “http://www.almanbirasi.info/list :)” On inspection, the site appears to offer a service to tell users who has blocked them on their contact list, a function not available in regular MSN.

I would highly advise anyone looking at any such ‘third party’ service to do a bit of background digging before giving ANY of their details over to a dubious third party. I was immediately suspicious and I will detail for you why.

1) The page looks well designed, but has no google page rank. This can mean one of many things, but usually it means a site or page is new. A service such as a MSN block checker is likely to spread virally (if it worked and was genuine) and this would likely lead to it being assigned a google page rank. An example where this SEO based tool can be very handy.

2) Whenever you are prompted for personal or account details, you should immediately stop for a sanity check – look to see who owns the site (can be done by a whois) and if your data will be secure. This takes on two forms, one – is the site reputable (can be checked a number of ways) and two – will your data be secure ? For the latter, considerations of encryption (is the page SSL secured) and data storage (does the site have a privacy policy etc)

3) The link ‘http://www.almanbirasi.info/list’ infact takes you to a page ‘http://www.msnliststatus.com/’ which is a bit odd.

4) The .info TLD – call me a domain-ist if you will, but I don’t trust this TLD.

5) The terms of service explicitly state that by using their service you are opting in to (a doubtlessly un-opt-out-able) advertising service.

As it turns out I was right, I sent a message back expressing my concerns to this person, assuming he had stumbled across it and sent me the link. Here is the conversation we had, edited to remove the name of the person.

Person A says:
http://www.almanbirasi.info/list
Konrad says:
what is this?
Konrad says:
haha no way!
Konrad says:
it has no page rank, i.e. its a great way to loose your login details to do something you can do within gaim / pidgin
Person A says:
huh?
Konrad says:
I would not use it
Person A says:
huh?
Konrad says:
looks like a big security hole
Person A says:
what?
Konrad says:
lol you tried it didnt you?
Person A says:
what?
Person A says:
did it just send a message for me?
Person A says:
fucking thing
Konrad says:
hahahaha!
Person A says:
sorry, just changing my password
Konrad says:
lol
Konrad says:
thats funny
Person A says:
did it send a message to you
Konrad says:
yes

So, as you can see, he used this utility and it logged into his account, sent me (and presumably others) a link back to its page without him either knowing or expressing his permission for this. It appears this has been going on for a few months with users also reporting having their accounts hijacked. Luckily there is a very simple way to determine whether you are on a person’s contact list or whether he/she has blocked you on a variety of accounts not just MSN like Googletalk, ICQ, AIM etc. It involves using a free open source program called Pidgin.

Install it, setup the account you want to use and login. Right click on the contact and select ‘Get Info’ this window should tell you everything you want to know about a certain contact as illustrated below.

My friend is very clued up about systems, IT and security but he fell for it, just be careful on the web.

Advertisements
Categories: Funny, Random, Rant, Security Tags: ,
  1. Kaitlin
    January 29, 2008 at 1:35 am

    There are so many things like this floating around. Pictures, files, links…fun fun fun.

    I already have Pidgin, because I’m awesome. The only thing I miss about MSN is the alerts. You can set up ‘pounces’, but I hate that they’re a dialogue box. Ah well, for the moment it’s just in a sidebar so I can SEE when people come online…

  2. Eddie Pasternak
    January 29, 2008 at 11:17 pm

    “…way to loose your login details…”

    Typical innernet wording

  3. January 29, 2008 at 11:22 pm

    @Eddie – if that was a dig at my grammer, check your spelling πŸ™‚

  4. February 23, 2008 at 9:05 am

    Ive had msn for about 2 years and havent seen this before…until now because ive got it (i think) ive been recieve lots of emails from unknown people and ive been signed out of msn about five times. i have been on this website and (unfortunately) given my details 3 of my contacts have this type of virus and another 3 have the type where they give out compressed folders and expect you to accept them!!
    I dont really know what to do…do i HAVE to change my password or is there some other way of getting rid of it?? (exept for getting another account)
    Please Reply Back soon because i use msn a lot because im 13 lol and ive been looking for an answer of what to do since i got it!!
    p.s. sorry about my spelling and stuff!!

  5. February 23, 2008 at 7:34 pm

    @Emma,

    Hi, it is important to make a distinction between what a virus and a Trojan are. A virus (or more frequently worm) is a program the replicates itself either locally (i.e. only on someone’s computer) or remotely (via the internet by email / IM etc). A Trojan (from Trojan Horse http://en.wikipedia.org/wiki/Trojan_horse_(computing) ) is a program (or in this case a website) that purports to offer a service or functionality in order to entice potential victims.

    Although I have not seen any files / attachments being passed to either myself or any of my friend’s contacts, it has been reported on some forums. An important thing to note is that you cannot be sent (to my knowledge) files or messages anonymously, that is, all files / messages have to come from someone@somedomain.com. Presumably if you exercise caution in who you add (or accept adds from) the threat of this will diminish. The problem is, if a friend’s account has been stolen or compromised by this or any other Trojan, it is difficult to distinguish whether a link or file transfer initiation is legitimately them or from a bot somewhere.

    I would recommend you NEVER to open a link as taken from an IM screen. For example, if a link appears as http://www.somedomain.com, there are ways of spoofing the address you are actually sent to. If you wish to go to this page, the best thing to do is open up a browser like firefox (or anything not reliant on the Internet Explorer engine e.g. Opera) and open up the link by typing the address directly. Of course, please exercise caution.

    With regards to file transfers, in theory a good antivirus program should scan any program / file that is downloaded, this coupled by the security measure which stops MSN Messenger from downloading executable files (or scripts) *SHOULD* keep you fairly safe although again, if you do not trust the source or if the transfer comes out of the blue, be suspicious. The best way is just to engage the person in conversation, if it is a bot, generally it will have a very limited set of responses and shouldn’t require a Turning test (http://en.wikipedia.org/wiki/Turing_test) level of examination. πŸ™‚

    Also of note is any MSN Messenger specific exploits are unlikely to succeed if you use an alternative program other than MSN e.g. Pidgin. There are lots out there so take your pick.

    The very first thing I would do is change your password and advise everyone on your contact list to do the same thing. Other than that, another account is the best bet, because all the records are kept on a server somewhere, it is impossible to delete them or take any other action.

    Hope that helps πŸ™‚

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: