Scott Hanselman

MSN For You - MSN Messenger Worm Virus Self Phishing Replicating Evil

July 5, '07 Comments [26] Posted in Musings
Sponsored By

getmessengerevilWow. I just got nailed. A trusted friend sent me a standard "check this out" instant message on MSN saying I should take a look at a site called http://www.newmsnlive.info also known as http://www.msnforyou.info and http://www.get-messenger.com.

Do NOT visit these links.

I didn't read the FAQ, but there's these gems:

"By using the Online Delete Checker you authorize Get-Messenger to temporarily change your nick to "http://www.get-messenger.com: Find out who removed you from his/her contact list" only for advertising purposes. You can change the nick again the next time you log into your regular MSN Messenger® client."

By using the Online Delete Checker you authorize Get-Messenger to send Instant Messages on your behalf to your online contacts advertising the site.

It is quite simple. We just try to get visits in order to make money publishing ads. There are no dark or mischievous intentions behind."

I don't know what I was thinking, but I figured I could just change my password afterwards. What I didn't expect, though, was that the website would send out Instant Messages to 300 of my closet friends, some of the messages in Spanish, asking THEM to visit the site.

Of course, these terms of service are buried at the bottom of a long FAQ I didn't read. I appreciate that they are 'honest' but I really find this way of viral advertising to be disingenuous.  Fortunately, I'm not the only one who is finding this to be very uncool, and the site(s) are starting to show up in Anti-Phishing Databases.

The issue is also being escalated with Windows Live Messenger Operations with the intent to get the URL blocked. And I've changed my Live Password.

I'm so embarrassed. This is the first time I've ever been "successfully" phished. And hopefully the last.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Thursday, July 05, 2007 7:01:40 PM UTC
ah, well -no real damage done Scott -I do admire u owning up to getting caught thou. Good on ye! :)
Dazza
Thursday, July 05, 2007 7:09:09 PM UTC
Well at least it was from a friend, that's a bit of an excuse. A while back I blogged about MS starting a swear filter on their email, and that post has become a magnet for the gulible. The comments are sad/funny depending on your view. I keep saying it's a scam, but more and more people are posting their MS Lottery spams there and asking if it's real.

So you're not that bad... heh.
Thursday, July 05, 2007 7:41:18 PM UTC
Thanks for the heads up on this. With this happening to you and you blogging about it, you have probably saved an exponential number of people.
Thursday, July 05, 2007 8:22:55 PM UTC
@BarryD - WTF? How did that first guy decide that you were some kind of expert on the "Microsoft Lottery" or whatever that was? (I get how the subsequent posts happened; Looking at your search engine referrals probably explain it well enough).

@Scott - You can't technically call this phishing, can you? I would think that the defining characteristic of phishing is a site purporting they're someone they're not. In this case, the site was honest, they just weren't entirely up front with their intentions to abuse your Messenger account. More of a con than phish, I think.
Thursday, July 05, 2007 8:29:02 PM UTC
Wow! Well, I guess if you can get caught out, then anybody can get caught out.

I had a similar experience two years ago. I cannot remember what site it was or why I did it, but I gave my Messenger user name and password to a website. Before I knew it, all my Hotmail contacts received an email similar to the one that trapped me. I vowed never to supply my credentials to a site that I do not trust.
Thursday, July 05, 2007 8:57:18 PM UTC
Scott,

Do you mean that you gave your MSN password to this web site??

I'm very hesitant to share my password with anybody, especially with unknown people and organizations (web sites).
Thursday, July 05, 2007 9:02:07 PM UTC
You may be interested to know that when I pasted the message:

"Wow. I just got nailed. A trusted friend sent me a standard "check this out" instant message on MSN saying I should take a look at a site called http://www.newmsnlive.info also known as http://www.msnforyou.info and http://www.get-messenger.com."

It didn't show the message to my MSN chat buddy. I think MSN must be filtering them by some blacklist, recognizing those URLs as bad ones.
Zeltzer
Thursday, July 05, 2007 9:06:00 PM UTC
Dennis - Yes, and this is why I'm an idiot today.

Zelter - Excellent. Then the word has gotten out.
Thursday, July 05, 2007 9:09:21 PM UTC
You know, three years ago I used to get messages exactly like that all the time from people. It's not a new thing, I wonder why it only just got blacklisted, well, today?
Demerzel
Thursday, July 05, 2007 9:41:10 PM UTC
It got blacklisted today because I got one of these messages from Scott and forwarded the URLs on to the Messenger team.
Thursday, July 05, 2007 9:43:43 PM UTC
It happens to the best of us, and the worst of us.
Thursday, July 05, 2007 9:58:31 PM UTC
The more interesting thing is how some unscrupulous web site got you to cough up your personal information in the form of your contacts list. They even got you to authorize a mass message sent to everyone on your list pimping their bile while looking like it came from you. (A trick that worked so well that when you got one you didn't hesitate to click it because it came from, as you said, a trusted friend.)

It wasn't a clever piece of code that hacked your account. Instead, it was some brilliant social engineering. Playing on your, and everyone else's that they duped, ego. "Of course I want to know who has blocked me from their life! I will willingly release control of my account, just give me the goods."

Genius.
Thursday, July 05, 2007 9:59:30 PM UTC
Well said! Good points all. It was an ego-phish!
Thursday, July 05, 2007 10:06:57 PM UTC
This reminds of something similar a few years back. There was an e-mail going around that had words to the effect that "somebody you know has a secret crush on you; enter the e-mail address of who you think it might be to see if you are right." Of course, the same message got sent to *those* people, and so on.
Thursday, July 05, 2007 10:33:44 PM UTC
Scott sent me another URL, and it's been blocked as well. If anyone has different URLs, please email me directly and I will pass them along to the Messenger team.
Thursday, July 05, 2007 11:05:19 PM UTC
Ouch, that hurts.

It sounds like you don't have antiphishing built into your internet security program... Or are you using an internet security program, and which one if you don't mind my asking?

I just posted an article about internet security because Norton did not pick up MalwareAlarm on both my home computers and neither did McAfee on my work computer.

I did a controlled test with Panda's Internet Security suite (tried to install it to see which security programs would catch it), and it was was the only one that truly caught it... along with an attempt from one of my neighbors to hijack my wifi network... along with a defragmentation attack that was hitting my hard drive every few minutes (and I was thinking it was time to buy a new hard drive)!!

It has antiphishing and web site content filtering built in as well - which sounds like something you might want to take a look at ;-)

Here's the article if you don't mind my posting a link: Norton and McAfee Failed to Protect My System from Malware and Viruses
Thursday, July 05, 2007 11:13:51 PM UTC
Interestingly, this morning, neither IE nor Firefox's Phishing filter picked it up...they do now though.
Thursday, July 05, 2007 11:21:06 PM UTC
The only question I have is: Did they let you use a strong password?
Friday, July 06, 2007 4:19:24 AM UTC
A far more amatuer looking site tried to do the same to me a few weeks back: www.whoadmitsyou.com

It makes me wonder if I need a seperate IM account for technical people and another for 'friends & family'
Andrew W
Friday, July 06, 2007 4:27:02 AM UTC
Out of interest.. did it actually tell you who had deleted you?
Andrew W
Friday, July 06, 2007 5:43:56 AM UTC
You just have to be so careful what you install these days. And on that note, you'll probably shy away from the following suggestion - understandably so after this experience - but I know of a semi-decent alternative to the above program you stumbled upon (no, I am not in any way affiliated with said program). Perhaps try install it on some sort of test live account (its sad, but I've resorted to that for stuff like this..) if you're skeptical.

Its called MSN Live Plus!
http://www.msgpluslive.net/

Contact List Cleanup:
- If the person has removed you from their list
- Last time they were online
- Last time you spoke to them
Tabbed chat windows (because its a nuisance having 8 windows open when chatting to friends)
Better notifications (do you really need to view notifications for EVERY contact that comes online?)
Some other stuff I don't bother using

Use it, don't use it, your choice.

Enjoy :)
Jonathan
Friday, July 06, 2007 11:40:21 AM UTC
Scott, I can't believe you also got nailed! I got nailed by this one:
http://dotnet.org.za/ernst/archive/2007/06/18/live-messenger-worm.aspx
Friday, July 06, 2007 11:40:44 AM UTC
@Andrew: Yep, it does tell you who deleted your MSN. I got burned by this as well, a week ago.
Steve
Monday, July 23, 2007 9:17:11 PM UTC
http://www.msnblog.info/ is the same site as well
DS
Thursday, August 30, 2007 12:40:28 PM UTC
thats great but how do you get rid of it
Ed Roche
Thursday, August 30, 2007 4:38:21 PM UTC
Just change your Messenger Password on www.passport.com.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.