Sunday, September 16, 2007

Alvis's Adventures in MySpace Wonderland

Alice in Wonderland

cc image credit: Christy Kim, flickr

This morning I was on our desktop pc, sorting through my links, cleaning odds and ends bookmark clutter and the like, attempting to get organized for a blog posting or two when Alvis appeared in the study doorway.

`Who are YOU?' said the Caterpillar.

She was serious...and had a "I'm freaked out" tone in her voice.

"People are commenting on my pictures on the Internet!" she announced.

>Insert fatherly pause of situational assessment. Mix with emotional concern for daughter, potential teen-identity damage control with turbo-boost of security assessment response adrenalin.<

"OK, and you know this how?" I asked calmly.

"My friend just left a message on my MySpace page and told me!  But the page they are on wants my cell phone number." She was almost trembling.

`I can't explain MYSELF, I'm afraid, sir' said Alice, `because I'm not myself, you see.'

I went in to her room and let her show me what she was speaking about.

She had her SAM Linux system up and was on her MySpace message board in Firefox.  She showed me the message that clearly had come from her friend, with her friend's identifier.  It said something to the effect that pictures of her had come up and made the discussion of the day on a forum site.  The website was listed but not hot-linked and her friend told her she probably wanted to check out the discussion.

Alvis was already tearing through scenarios of which pictures they could be and how they could have gotten posted.

She had tried to follow the website but it had led to a page that seemed to require her to enter her cell phone number to get a pin response to access the site.

>Insert fatherly security minded suspicious "Hmmmm" sound.<

'...but when you have to turn into a chrysalis--you will some day, you know--and then after that into a butterfly, I should think you'll feel it a little queer, won't you?'

Alvis was quite upset at this point so I worked my best fatherly skills to calm her down and reassure her that we would sort this all out.  Then we began to focus together on the situation at hand.

We took a moment to discuss that this is one of the problems of the Net: that if something gets posted to the Net, is is very difficult to retain control over it.  That though the Net provides a certain sense of anonymity, consequences can become very personal and real, really quickly.

I discussed that I wouldn't advise her to EVER give out her mobile phone number on the Net. Period.  To anyone or any site, for any reason, no matter how serious the moment felt.

Especially as a teen.

Absolutely not without checking with another trusted adult's (her parents) advice first, which I praised her for doing just now.

We discussed similar topics while she concurrently kept trying to text her friend for details of what she had saw....her friend was busy apparently.

Once Alvis had settled down and was breathing normally again, I took what I had gathered off her message post and went back to do some digging.

Alice felt a little irritated at the Caterpillar's making such VERY short remarks, and she drew herself up and said, very gravely, `I think, you out to tell me who YOU are, first.'

Alvis had opened the link on her Linux pc in Firefox, so I wasn't very concerned at the moment that any harm had befallen her pc by going to the link page, but I had some doubts and decided to be hesitant on firing up the web-site on my Windows machine without some research first.

I first looked up the page in a WhoIs service.  The site was registered on GoDaddy just a few days ago.  Hmmm.

I then fired up a virtual session of Damn Small Linux (a.k.a "embedded").  Once this was running, I safely browsed to the website in question in Firefox to examine the page source code and links.

Looking at the page-source code, I saw that the simple page that contained a frameset code for a link that pulled the address link from another website's html code. There was also a java script box that led to a stats hit-counter.  All in all, there were just a few lines of code for the page and that was it.  Pretty simple stuff.

Attempting to navigate away from that page brought up a box with scary warnings that unless I validated with my cell phone, access would be denied.  Yeah, whatever.

I copied the full address found in the main-page source-code view frame window and pasted it in my address bar.  Then I took a look at that page's source-code.

This page contained several java-scripts; the first was for the "access denied warning," next was some HTML code that pulled from a page to display an important "captcha" page that makes it appear your are really going somewhere secure and important, another java-script section that appears to serve up a random URL link to be used for the "click here" to validate your cellphone line, and a final section of java-scrip with a bunch of stat-counters.

Lots of code-hoops to jump through just to get to a simple page to enter my mobile phone number and verify via a PIN to access this supposed profile website that has a discussion of my daughter's pictures.

Hmmm.

I now turned my attention to the page itself as displayed having clicked through to follow this now suspect white rabbit.

The displayed page was a hip looking graphic of a young woman with a ear-phone equipped cell phone offering "complimentary" ring tones and other mobile phone downloadables (with paid subscription).  (Note: complimentary and paid aren't usually found in the same sentence where I come from...)

That was in smaller print.  What was the center of attention were the fields to enter the cell phone number with a big "SUBMIT" button.

However, I recalled a bit of advice I picked up somewhere...before you eat the mushrooms, best follow the smoke and converse with caterpillars for their advice...or something like that.

Even though the page graphic made it appear as if fully displayed, I saw that my page scrollbars had a bit more room to view at the bottom.

I pulled it down and imagine to my surprise, not quite a talking caterpillar on a mushroom smoking from a hookah, but even better, a Terms of Service statement that says in tiny print that I am sure all teens would find and read.

It explains that by entering your mobile phone in, and by responding with the PIN sent to it you agree to terms and conditions of anywhere from a $19.99 monthly charge on your carrier bill to a $5.99 weekly charge, depending on your mobile carrier.

Oh yeah, users under age 18 were required to get parental approval first.  I bet.  Glad they put that statement buried deep-down on the page in all the legalese in small font for the kids to see and read before entering their mobile number and responding to the PIN so they could see the pictures and discussion that was going on about them.

Maybe that wasn't a hookah but a bong.

`One side will make you grow taller, and the other side will make you grow shorter.'

Alvis eventually got in touch with her friend who swore up and down she hadn't sent her the MySpace message and didn't know anything about it.  Her friend was very confused.

Alvis also checked in with several of her other friends who had also received the same exact message about their pictures also being top rated in this "forum" as well.

At this point it appears that her friend's MySpace access had somehow been compromised and her friend/address book got hijacked by someone or some code and mass-mailed this scam-ad message to everyone in there. 

I have come to find out that this is actually a fairly common event called "profile hijacking" and occurs when someone is scammed into providing their login credentials either by a phishing page or by inserting malicious MySpace template feature code (profile watchers or trackers) onto their page.  For some more information see: Spam Bulletins

This remains the biggest concern that watching Alvis's use of her MySpace has taught me; kids are quite smart enough to seek out templates and "widget" code to fancy-up their MySpace pages...but not nearly sophisticated enough to inspect and understand just what that code they are copy/pasting will actually DO behind the scenes once it is enabled on their page (or their family/friend's computers when the pages load). It's a real PC security nightmare.

Had Alvis taken the bait, she would eventually been confronted by her parents to explain why a large monthly service charge had been suddenly added to the family mobile phone bill and why "complimentary paid" mobile phone services were appearing on her phone.

No malicious code (technically true) was found on these pages, just a new variant on an old bait-and-switch scam.

Come, there's half my plan done now! How puzzling all these changes are! I'm never sure what I'm going to be, from one minute to another! However, I've got back to my right size: the next thing is, to get into that beautiful garden--how IS that to be done, I wonder?'

Parents and MySpace fans alike...beware, please.

Discuss these things with your kids.  Learn about them yourself.

Talk about Net security in general at a level your kids can understand.  Build a sense of rapport and trust with them.  I promise it will pay off in times like these.

Don't know much about Net security? 

Here are some great resources:

Finally, if you are involved with MySpace, either as an adult with your own page, or a parent of a child with a MySpace page, bookmark and RSS feed this site:

This website/blog is a fantastic source for posts that cover current MySpace security issues ranging from virus seeding of pages, fake profiles, scams, security in general, predators, and spam bulletins and comments.  It gives great background to lots of topics and issues and helps keep invested parties aware of security issue trends at MySpace.

Please take the time to keep your kids safe and educated in Net safety....

--Claus

No comments: