Monday, November 17, 2008

Facebook Users Beware

I'm looking into an interesting Facebook phenomenon this morning. Several of my "friends" on Facebook have received messages that look like these:

---

hey did u know your facebook pic was just featured on kchangblab.com

hey has anyone told you ur facebook pic was just featured on srcate.com

hey do u realize your default image is displayed on moreprofilestrade.com

did you know your profile pic is all over brightium.com

has anyone told u ur facebook pic was just featured on gabblemodule.com

---

The question is, "What's causing these posts?" Did these messages really come from their friends? Are they being generated by malware on their friends computers? or has someone compromised their passwords?

While I wait for these friends-of-friends to respond, I thought I would dig in to the domain names in question.

The WHOIS data for each says the domains are owned by

Adam Arzoomanian bulletinpics@gmail.com
375 E Harmon
Las Vegas
NV
89109
US

According to DomainTools.com, bulletinpics@gmail.com has registered 491 different domain names!

On some, the address has an extra line that says:
"The site is a fun prank - the pic is of a monkey"

The phone number Adam uses, 702.922.1911, belongs to Spin Night Club Promotions in Las Vegas, Nevada. That address is across the street from the Hard Rock Hotel, and is used by the "Alexis Park Resort", which is a "Spin Promotion LV Company", Las Vegas' Premiere Upscale Hip Hop Venue. We've also been able to confirm that Adam Arzoomanian is a real person and is really associated with Spin Night Club at Alexis Park. For instance, this story from Las Vegas Weekly:

This new nightclub project is just one of many for Arzoomanian, who will also oversee the Alexis Park’s gaming initiatives, building a casino resort on the two lots behind the current property as well as expanding the suites and villa according to a three- to five-year plan. “This is just the tip of the iceberg for Alexis Park,” says Arzoomanian, who adds that of all the projects in the works, designing Spin is his hobby. At present, no rendering exists for the new club. “It’s in my head.”
(Full Story

The question remains whether the Real Adam knows anything about all of his domains . . . The number listed has a full voicemail box. Using the voicemail directory, we find that there are many many people who use the same voicemail service, including cleaning services, ticket services, hearing aid services, etc.


------
Let's see what other domains we can find for Adam Arzoomanian . . .

azureclub.com
bubbit.com
dinaunit.com
flagtap.com
flaptag.com
flapstate.com
gabient.com
gabize.com
gabload.com
gabmodule.com
gabblemodule.com
lightzoom.com
mdanclub.com
stolenprofiles.com
swapsecretphotos.com
swapsecretprofiles.com
tabmodule.com
tabtoken.com
tabunit.com
ubztoken.com
wackbase.com
wayizer.com

All of those domains (and probably many more) forward to the single domain:

friends-to-friends-only.com (created Oct 8, 2008 on Moniker Online)

which uses a frameset to pull the actual content from:

http://rotating-destination.com/taf/taf.html

(TAF = Tell A Friend)

Rotating Destination is a TuCows registered domain created on September 29, 2008, with "protected" WHOIS information. Compete.com says the site gets 140,000 unique US-based visitors per month, and Quantcast ranks it as the 12,588th most popular site on the Internet.

After the "login" portion (and ask yourself again, WHY would anyone need to ask for a password here?) the action forwards to yet another website:

http://www.this-isnt-personal.com/taf/picmatch.html
We've sent an email link to this blog entry to bulletinpics@gmail.com and are waiting for a response. As mentioned above, we weren't able to leave Adam a voicemail at his listed number, but the people at Alexis Park were much more helpful. Adam is no longer the GM at their resort. I've left a voicemail for their webmaster/computer guy at the resort, and hopefully that will get us somewhere further. It should be enough to get Moniker to "unregister" all the domains, we hope . . .

The site CLAIMS to be a "prank" site, where ultimately your friend sees a picture of a monkey and is supposed to giggle about how funny it is that their profile was said to be a monkey.

Question. Why would someone pay to register 491 different domain names to display a joke picture of a monkey?

Here's the sequence of webpages . . .










At the end there is one more link, inviting you to trick your friends by sending an email like this:


Here's how we recommend you trick your friends with this
harmless prank site. We're pretty sure they will send
you a funny reaction!

Send them an email. Try one of these lines...

did u know ur image is displayed on
do u realize ur photo is featured on
has anyone emailed you to let you know ur pic is all over
ur picture is at

Copy/Paste one of these domains to the end of your message.

stolenprofiles.com
swapsecretphotos.com
swapsecretprofiles.com

For example:

do u realize ur photo is featured on stolenprofiles.com

(Note we rotate these suggestions often to avoid messages
being caught in spam filters even though they are not spam.)

Try sending it through regular email with no subject line.
That is most effective.

Try to avoid social sites like MySpace and FaceBook because
they may block your message or even call you a spammer or
a phisher. These sites don't want you to send friends
to external sites like ours. Regular email is best,
ie. Gmail, AOL, etc.

Have fun!


So what do you think? A prank? or an interesting way to harvest people's passwords? I don't know the answer yet, but it certainly struck me as something worth looking into more deeply.

Best theory at the moment . . . users are known to use the same passwords in multiple locations. Could this be a way of trying to harvest email and/or facebook userid and password pairs?


Note: About six hours after posting this, a friend shared with me that Trend Micro had already blogged about this subject. They found a couple things I didn't see -- including some pop-up messages that I missed because I didn't let the criminal run scripts on my laptop -- and some historical data tying the criminal's email address to a "Captcha" scheme he previously ran. Certainly worth reading if this subject interests you Click here for TrendMicro Blog coverage of this story.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.