If you are receiving information about the Web site gabblemodule.com or hundreds of various other Web sites that redirect you, (“along the lines of I found a picture of you on gabblemodule.com check it out”, usually in the form of a message on social networking sites like Facebook or Myspace), do not provide it any information as it steals your passwords from Facebook, Myspace or wherever you were redirected from and could possibly con you into being charged for a cell subscription.
As a result of Play This magazine and your help, thousands of people have received this information and been prevented from a phishing attack. Thank you all for your help and keep sending us new links as they are sent to you!
This is due to the worm called the Koobface worm, which is downloaded from an innocent looking picture usually. The only way you can get a worm is by downloading a file, but they usually have backdoor files with it. Download the free AVG virus software/cleaner in addition to Lavasofts Ad-aware. This should clean your computer out and remove any sleeper viruses.
Updated as of Nov. 18, 2008.
This is just like the previous Web sites that redirect you to a phishing site, according to that Web sites statistics it’s been around nearly a year and yet to be shut down. It will always send you to http://friends-to-friends-only.com/.
myspace.com/playthismag Don’t forget to add us on Myspace!
You can find more tech news and reviews at http://www.playthismag.com
List of Web sites that redirect you (Still growing, if you know of a different one e-mail us at editor@playthismag.com or comment on this article and thank you to those who have contributed) We also know that for the last week many people have been phished more so than the usual.
atomipad.com, azurebuzz.com, azurezoom.com, bubbleserve.com, coralpad.com, crimsonopia.com, deesphere.com, dynatoken.com, flapset.com, gabbleset .com, getemtoken.com, getemset.com, gingersphere.com, hazelpad.com, heycode.com, iconnik.com, phototradingspot.info, scrality.com, snapnik.com, tradepicsnow.com, ubzunit.com, wackset.com, wackstate.com, cutepicturesonline.com, wareate.com, gabbleload.com, gabblemodule.com, gabbleserv.com, gabbletoken.com, mdannic.com, atomipath.com, crimsonnic.com ( Thank you Sarah), mdanblab.com, heystate.com (Thanks Jay) shobase.com (Thanks Nami), babbleprofile.com (Thanks Nick), spaceate.com (thanks Cole), cogihost.com (thanks Angie), and cogibug.com (thanks Dan), http://www.kawork.com (Thanks a ton Riona), Lookatem.com, quaspace.com (Thanks Caitlin), wowbookers.com, yayafacer.com (Thanks Chris), nuttyfacebookin.com (Thanks Jamie), hmmmbook.com (Thanks Aaron), stuffrattle dot com, smashshiver dot com, wavehum dot com, mixclang dot com, waveshiver dot com.
A new redirect Web site is out, if you receive a message, “has anyone told u ur facebook pic was just featured on gabblemodule.com” (This is just one of a hundred examples) from your friends on Facebook delete it and tell that friend their account has been hacked and needs to change their password. The users password that has been compromised is most likely due to a Facebook application (we are still investigating but it’s now looking more like this is a sleeper phishing program. It steals your information and later on perhaps even months later takes hold of your account to reproduce itself). If there are any new apps that you have just recently added, be sure to remove them! Also if you have received this message from a friend as a safety concern please change your password as well.
The individuals who have sent you the link and info have already been hacked and need to change any password associated with Facebook and Myspace.
When you first arrive at the Web site it will have a pop up box saying, “Our system indicates that a photo from your ip address has been uploaded to this site within the past 48 hours.” [Pictured below]
After the pop up you will notice a disclaimer at the top saying, “Privacy Note: We never send SPAM to your email address. We never sell your personal info.
This is NOT a MySpace or Facebook login page. MySpace/Facebook users are not authorized to participate on this website.”
It then has a box to let you input info to “find this photo of yourself.” [Pictured below]
After putting in your information it asks, “Must create new password
to view your pics.” “For your security, please do not use your previous password created on this site or the same password that you use to log into other sites. Doing so may re-trigger our auto-post tell-a-friend feature that you may have previously opted in to from this site.”
After you input a password it asks you how you found the Web site with another annoying pop up then provides you with a list of Web sites.
Most professional Web sites do not have such terrible font as presented above.
The next page shows another pop up box saying, “FINAL STEP BEFORE RETRIEVING RESULTS!
Our system indicates that your friend Kiss my ass recently bookmarked and reserved this page just for you!”
Chances are there is no real person named kiss my ass… and if it accepted the name it’s probably a bit fishy.
Also when the pop up box shows up it says the Web site is http://www.this-isnt-personal.com he even warns users to say you are probably about to get screwed.
After the pop up…. a box asking you to fill out one of those annoying surveys, an IQ test or various other advertisements. If you fill out the IQ test and put in your cell number it will begin to charge you $9.99 a month for some sort of subscription.
In conclusion, if you see this Web site, avoid it. Do not provide it with any information what-so-ever. We have provided it our e-mail address and it quickly began to fill our spam box with junk mail *It was 24 hours after we did this walk through that our Spam box was filled – Thanks Jay. It steals your password, cons fools out of money by providing information and is a phishing Web site. If you have any additional questions feel free to comment or send an e-mail to our editor at editor@playthismag.com.
-Play This Magazine Staff.
For more tech news and reviews check www.playthismag.com
Additional information has just been found. The thing causing this is called the Koobface Worm.
From this Web site http://www.kaspersky.com/news?id=207575670 information is posted below.
New worms target both MySpace and Facebook users
Kaspersky Lab, a leading developer of secure content management systems, has detected two variants of a new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, which attack MySpace and Facebook respectively. As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets.
Even though the worms are currently only infecting MySpace and Facebook users, Kaspersky Lab analysts are warning users that the worms are designed to upload additional malicious modules with other functionality via the Internet. It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes.
Net-Worm.Win32.Koobface.a spreads when a user accesses his/her MySpace account. The worm creates a range of commentaries to friends’ accounts. Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others.
Messages and comments on MySpace and Facebook include links to http://youtube.%5Bskip%5D.pl. If the user clicks on this link, s/he is redirected to http://youtube.%5Bskip%5D.ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.
“Unfortunately, users are very trusting of messages left by ‘friends’ on social networking sites. So the likelihood of a user clicking on a link like this is very high”, says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab. “At the beginning of 2008 we predicted that we’d see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we’re now seeing evidence of this. I’m sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity”.
Kaspersky Internet Security detected these threats proactively and signatures were added to the database on July 31, 2008.
About Kaspersky Lab
Kaspersky Lab delivers the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and the industry’s fastest outbreak response time for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.viruslist.com.
Filed under: General, News | Tagged: atomipad.com, azurebuzz.com, azurezoom.com, bubbleserve.com, coralpad.com, crimsonnic.com, crimsonopia.com, deesphere.com, dynatoken.com, evo, flapset.com, gabbleset .com, getemset.com, getemtoken.com, gingersphere.com, hack, HACKER ALERT, hazelpad.com, heycode.com, heystate.com, iconnik.com, mdanblab.com, phishing, phototradingspot.info, Play This, play this magazine, playthismag.com, scrality.com, security, snapnik.com, tradepicsnow.com, ubzunit.com, wackset.com, wackstate.com, wareate.com, www.playthismag.com | 17 Comments »