picfriender.info IM spam
Posted by Saša Bodiroža | Filed under internet
I have just received a link from a friend over MSN instant messenger that pointed to “her” website on picfriender.info. I clicked it, and saw a homepage which asked me for my MSN username and password. Why would they need it? If I needed an account to visit her website, I would need to make a new one. So, the only logical thing is they would use it to get access to my account. Well, it seemed like a spam company, so I googled them. Strangely, Google knows nothing about them for now.
Then I noticed a link to their Terms of Service, and I wasn’t surprised to read this…
“We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”
It doesn’t smell only like spam, it is spam. Sort of legalised, though. I hope they will be closed soon. Be sure to not give them your account information, unless you want them to send annoying links to your friends. Some of them may fall for this too… And the chain reaction begins.
In case you already gave out your personal information, the fix should be simple. Just change your password over at MSN Passport/Windows Live ID website.
Update: I have just checked the information about this website, and I found out that it was registered less than 10 hours ago. It’s logical why Google still knows nothing about it…
Update #2: It seems that this is not new, Aeriff wrote a blog post on this on March 15th. The only difference is the more logical domain name (picfriender.info vs. rkntbp.info)…
Tags: im, instant messaging, internet, messaging, msn, phishing, picfriender, picfriender.info, scam, spam, threat
18 Responses to “picfriender.info IM spam”
-
Wicked Keemo Says:
April 2nd, 2008 at 10:16 pmHaha…and I just got it myself. You’re the only person yet who’s showing up for picfriender.info
It’s so blatantly a spam site, they’ve got the crappiest homepage ever -
sea Says:
April 2nd, 2008 at 10:45 pmgot it too seems to spred fast
-
I just got this too! Says:
April 2nd, 2008 at 10:48 pmI got this a few mins ago :S This thing must be spreading fast.
-
Tri Says:
April 2nd, 2008 at 10:49 pmLol I just got it too, this hasn’t taken too long.
-
Saša Bodiroža Says:
April 2nd, 2008 at 10:54 pmThe reason why this kind of spam spreads fast is because users are not thinking about their privacy. Most people will give their personal information without thinking about consequences.
One person starts it. He/she sends the link to, let’s say, 10 people. Say 5 of them click on the link, and enter their information. The cycle keeps repeating and there you have a chain reaction…
-
sea1 Says:
April 2nd, 2008 at 10:58 pmSeems that I have been one of the first to get it, got it 4 ½ hours ago about 7:34h pm (Germany).
almost 10 minutes after the msn post I got some strange trojan warning.. have no idea if it has to do something with the stuff.. havent done anything in between on the pc.
02.04.2008 19:47:06 deleted NT-AUTHORITY\SYSTEM svchost.exe D:\System Volume Information\_restore{94B215B8-3E47-4A47-A9D7-3DF603ACAF3A}\RP595\A0093725.exe Generic.dx (Trojan) -
Saša Bodiroža Says:
April 2nd, 2008 at 11:05 pmsea1, I’m not sure if it’s related. This kind of attacks doesn’t need to install anything on your computer, the only thing they need is your username and password.
On the other hand, they might try to install something when (and if) you logged in. But, I suppose you would need to approve that first, so you would know if you installed anything from their site. Also, it may be some browser bug that would allow them to install a malware without you knowing, but I think that’s not very probable.
-
sea1 Says:
April 2nd, 2008 at 11:20 pmI didnt log in, talked to my friend of which I got the post she didnt even know about this site, she got no trojan warning on a nother antivirus platform than mine.
I got my last warning verry long time ago thats why I was suspicious.
The only thing in common we have is that we are not using the original msn client (Miranda an I think she is using trillian), could be a backdoor risk in my opinion. -
Saša Bodiroža Says:
April 2nd, 2008 at 11:37 pmsea1, I really don’t know, because I haven’t used Windows for a long time. There is a possibility that the trojan and the site could be related.
I’d suggest you to remove the reported file, because it is a part of recent system restore point. It means that it is not used, unless you restore the system to that point. Additionally, you might want to check your system for viruses, trojans and other malware…
-
sea1 Says:
April 2nd, 2008 at 11:37 pmoh.. by the way Im sure the founder of this site is checking google from time to time for his success… so HELLO from my part, and would be nice if you could leave a note here.. oh and if you need help for the design next time to make it seem more like a msn application dont be afraid to ask for help
-
Saša Bodiroža Says:
April 3rd, 2008 at 12:44 amI hope he won’t do it next time ;)…
-
Doug Says:
April 3rd, 2008 at 4:08 amSeveral people in my company have been hit by this today. Has anyone determined if this installs anything malicious on the computers that log into the site?
-
dalija Says:
April 3rd, 2008 at 8:24 amI also got this thing yesterday, but i think it didn’t install anything malicious on my computer.
-
Muppet Says:
April 3rd, 2008 at 10:01 amI’ve been around computers and programming for the last 27 years of my life, worked in the internet industry for the last 8 years, I know my Unix admin, I deploy security fixes and know lots of slack-security-exploits from the more devious end of the spectrum. What I’m getting at is that I tend to have a condescending seen-it-all-before take on even the smuggest of forum posts about sensible online behaviour. But . . . . last night I went to see the absolutely fantastic Gogol Bordello, got carried away with the spirit and maybe had a few tequilas too many, came in to work this morning with a VERY thick head, saw the picfriender.info link, clicked on it, and entered my MSN login details. What! A! Muppet!!!! (I think I might have thought it was one of my friends creating some kind of clever Web 2.0 site but I have no excuse really). I just post this as a cautionary tale seeing as this is the only site that comes up when you google the link (so far). Never forget common sense! As they say, there’s no fool like an old fool. I knew I should have worn purple this morning . . . NB I changed my Live ID password within 60 seconds, but still, the damage was done - my pride will never recover, I’m quitting my job today and going to work in the fields.
-
rckon06 Says:
April 3rd, 2008 at 8:32 pmSo, I feel like a huge idiot. Not thinking, not reading the terms and conditions, I clicked on the link and entered my information. AFTER I made the mistake, I read the terms and conditions and kicked myself. I went in my account and changed my secret question and my password. Does anyone know if this will work? Is there a way for them to still get into my messenger if I changed that information. I feel stupid enough that I did that to my account but I don’t want them going in there and spreading it to people on my list!
-
Saša Bodiroža Says:
April 3rd, 2008 at 8:46 pmDoug, I think it doesn’t install any malicious software, but there is always a possibility. Running an antivirus/antispyware/anti… software would be good.
rckon06, I think you are safe now. But, as for Doug, running an anti… software is recommended.
-
Doug Says:
April 3rd, 2008 at 10:09 pmWe run antivirus software here at my company, but given how new this site is I’m guessing that there’s a strong likelihood that our definitions might not catch whatever software this might install. If anyone detects anything on their computers that may have resulted from this website please add a comment. Thanks!
-
Saša Bodiroža Says:
April 3rd, 2008 at 10:33 pmDoug, the same company registered a lot of websites before. The author of the post, which link is in update #2, writes about the same company and the same type of site, but just on another domain. The post is dated March 15th, so I believe something would be known by now. Sure, it is always better to be safe than sorry, so I understand your concerns.
Subscribe to this blog
