Eldar Marcussen: September 2010 Archives

More CPALead facebook abuse

|
It's not really surprising that these guys are still at it, I wacpalead-like-spam-norsk.PNGs howerver a little surprised to see that they have branched out into region specific apps and pages. Perhaps it helps avoid detection? The text in the image is norwegian and translates to "Teenage mum arrested after having uploaded a digusting video of her child" and "see the video".

Looks like fun, so we look behind the curtain.
linux:~$ GET http://tinlike.info/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt</title>
<meta name="description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"><meta property="og:site_name" content="Se videoen!"/>
<meta property="og:title" content="Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt"/>
<meta property="og:url" content="http://tinlike.info/"/>
<meta property="og:image" content="http://i51.tinypic.com/716ako.jpg"/>
<meta property="og:description" content="Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!"/>
<meta property="og:type" content="website" />
<meta property="fb:app_id" content="149463805092381"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<link href="/css/style.css" rel="stylesheet" type="text/css" />

</head>
<body>
<div id="fb-root"></div>
<script src="http://connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript" src="jquery.js"></script>

    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
</div>
<div class="capwrap">
    <div class="grid2col">
        <div>
            <div style="width:920px"><div class="right" style="width:800px;margin-right:50px;">
            <center <img src="http://tinlike.info/images/2q1rwjk.jpg"> </center>
              </div>


              </div>
            <div class="left">
                          <div align="center">
                            <h1 style="color:#FF0000;">Tenåringsmamma ble arrestert og satt i fengsel etter å ha lastet opp motbydelig video av sin to år gamle datter!</h1>
                            <p><br>
                            Følg de <strong>enkle stegene</strong> nedenfor for å se videoen (det tar bare 10 sekunder!) </p>
                            <img src="http://i33.tinypic.com/2emfn0p.png">
<noscript>Please enable JavaScript in your browser to continue.</noscript>
                          </div>
                          <div id="step1" align="center"><div class="step">
                            <h2 class="h2page"s>Steg 1 - Klikk "Like"</h2>
                            <br>

        <div id="like">
                <fb:like font="lucida grande" width="350" show_faces="true" action="like"></fb:like>
        </div>

</div></div>
<div align="center"><div id="step2"><div class="step">
  <h2 class="h2page">Steg 2 - Klikk "Share"</h2>
<br>

        <div id="share">
                <input id="share-button" class="button" type="submit" style="width:100px" value="Share" onclick="share()" />
        </div>
        </div>

                <div id="step3">
                        <form id='fm-content' method="get" action='readko.php'>
                                <input name="hidden" type="hidden" value="hidden" />

                        </form>



</div></div></div>

                        </div></div>

<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/small.js"></script><script type="text/javascript">WAU_small('bx2nllsfxm0a')</script></p><p style="float:right"></p>
         </div></div>

</body>
</html>

Yepp, it's your typical to see the video you must like and share this link rubbish. Lets see what's behind door number two:
linux:~$ GET http://tinlike.info/readko.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<script type="text/javascript">var isloaded = false;</script><script type="text/javascript" src="http://www.cpalead.com/mygateway.php?pub=41457&gateid=MTM3MzQ4"></script><script type="text/javascript">if (!isloaded) { window.location = 'http://cpalead.com/adblock.php?pub=41457'; }</script><noscript><meta http-equiv="refresh" content="0;url=http://cpalead.com/nojava.php?pub=41457" /></noscript>
<title>Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <div id="header2">
            <h1 class="h1pages" align="center">Tenåringsmamma fengslet etter å ha lastet opp motbydelig video av barnet sitt!</h1>
    </div>
<div class="capwrap">
    <div class="grid2col">
        <div>
<h1 style="color:#FF0000;">Er du nå klar til å se videoen?</h2>
                                        <h1>Etter at du har fullført vår spam/bot kontroll, klikk på knappen nedenfor for å se videoen.</h1>

                                </div>

                                <div id="step1">

                                <br><br><br><br><br><br>
                                <center><SCRIPT LANGUAGE="JavaScript">

var OpenWindow;
var windowprops = "toolbar=0,location=0,directories=0,status=0, " + "menubar=0,scrollbars=1,resizable=0,width=800,height=600";

function performProcess() {
OpenWindow = window.open("http://tinlike.info/videoo.html", "Videon!", windowprops);
document.yourFormName.submit();
}

</SCRIPT>


<button onClick="performProcess();" type="button"><font size="4">Se videoen!</font></button>

                </div></center>

                        </div>
<div class="clear"></div>
</div>
</div>
<div class="maincap bottom"></div>
</div>
<div id="footer-wrap">
           <div id="footer">
                   <p class="left"><script type="text/javascript" src="http://widgets.amung.us/tab.js"></script><script type="text/javascript">WAU_tab('bx2nllsfxm0a', 'left-middle')</script></p><p style="float:right"></p>
         </div></div>

</body>
And sure, enough, cpalead rears it's ugly head again. The interresting bits with this one was the use of the among.us stat counter in the bait page and delivery page. They are now tracking their clickthrough performance. The use of facebook markup to perform the like and share actions without showing up as a facebook app in the news feed is also neat. I hope facebook plugs this loophole, having apps be anonymous when posting to your wall is just bad news.

The moral of the story boys and girls is that if something "demands" that you click like on facebook you should absolutely NOT click, but rather report the app or page.

Custom graudit signatures

|
Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.