Facebook May 18 Deactivation Scam

Myspace vs. Facebook: the good old days?

Many people have fond memories of ye olde Myspace dotte comme, and those rose-splashed spectacles seem to have grown ever larger in light of the recent Facebook happenings.

In recent days, I’ve seen many declaring their love for all things Tom, and how everything was just one huge barrel of laughs and good times on the fledgling social network. In the showdown of Myspace vs. Facebook, articles are appearing that explain how Tom “beat” Zuckerberg in the long run.

However, a variety of popular memes and more general good vibes based on this sentiment clash with a somewhat more complicated picture of events.

Here’s the thing: I was around at that time, neck deep in social network research from about 2006 to 2010, and one of my main stomping grounds was indeed Myspace. During that time, I wrote about an astonishing amount of problems on the platform. I was responsible for getting a few of them fixed, having a number of bad actors thrown off, and causing lots of problems for adware vendors using so-called Web 2.0 as a testing ground for bogus installs, as well as creating similar headaches for malware authors popping everything from drive-by attacks to worms.

If you missed all of that action, or you simply weren’t around at the time, you might think the current social network bonfire we have on our hands is an entirely new phenomenon. I felt it was worth revisiting the land that time forgot (uh, a decade ago) and seeing what, exactly, was going on.

Way back when

Social network scams are now pretty samey, and new-fangled original attacks are fairly rare. Back in the early days of Myspace, everything was new and exciting, and even the most basic of survey scams or spam comments on someone’s profile page could potentially elicit a gasp or three. In 2006/7, the only people really attempting to harness the huge numbers of social media users were adware vendors and the odd malware author.

Over time, that would shift away from adware to hacks, trolls, and social engineering, leaving everything looking a bit scorched earth…not just on Myspace, but gradually across many other major social network platforms, too.

We begin our exploration of a complicated picture of events with a jaunt back to 2006.

2006: worms, adware, and get rich quick schemes

Looks like our DeLorean has indeed arrived in 2006, because Justin Timberlake is on the radio bringing Sexyback, Superman Returns to cinemas (when he probably shouldn’t have), and Twilight is going wild on bookshelves. Meanwhile our 3-year-old, 2.0 hangout space is starting to run into increasingly frequent trouble.

One of the first major social network worms ripped through Myspace courtesy of a worm hidden inside a Quicktime file. Alterations to infected profiles were made, utterly confusing the profile owners, and it seemed to spread in a manner similar to the first Orkut worm, even coming back to life after a profile clean out. The financial gain here was, in part, due to Zango adware being bundled with the infection file via the worm-creating affiliate who put the whole thing together.

In fact, Zango were caught up in another Myspace fiasco when they claimed they weren’t specifically targeting the platform for installs, despite the uncovering of an affiliate email suggesting just that. Here’s an extract, and the focus on animated gifs and cheery distractions is wonderfully quaint:

“MOVING GIFS. This really gets people’s attention and vistors [sic] love this sh**,” one tip reads. Another: “Highlight the html code and embed one of the videos. This will make it automatically pop when the visitor reaches that page. This will lead to a lot more thinking to themselves: ‘hmm, this looks like a cool video. I’ll watch this. CLICK.'”

“More profitably, go to a bunch of your friends who have popular profiles and pay them (it’s up to you so much. One of my partners said 5$…maybe offer to split the money with them?) to put a zango video into their profile through your site. This will give you hundreds of extra installs a day,” the e-mail reads. “This probably works even better than having them on your actual site.”

Moving away from adware vendors. In 2018, malvertising is a big deal—but it’s also a rather old one. We can go back to 2006 and see the infamous WMF exploit being used to install malicious files via banner ads on Myspace, with up to “one million” installs across the thousand or so sites it was loading on. After a couple of years of a fresh new approach to interacting online, people with a taste for cash have moved into town and they have other ideas. Things will straighten themselves out next year, right?

2007: Battle of the bands and glory hunters

One of the wheels has fallen off the DeLorean, but we’re still hitting 88MPH, which is just as well because Shrek 3 and Spider-Man 3 are going off the rails in the cinema, and Rihanna has lost her umbrella. While we’re talking about music…

Most social networks have learned to keep profile page edit functionality to a minimum, or use templates, but Myspace was pretty much the king of “do what you want.” It’s hard to think of another social network that had so eminently editable a profile page. You could do all sorts of custom HTML tricks, hide elements, include new ones, overlay everything with huge sparkly gifs and half a dozen MIDI files—it was great (relatively speaking).

The flip side of this is that bad people could do the same thing.

In 2007, a large number of big name musicians with huge followings, and many smaller bands too, had their Myspace pages compromised. A quick splash of custom HTML later, and clicking anywhere on the page would redirect to rogue sites hosted in China offering up a variety of malicious installs. It was never established what, exactly, was the point of entry for the scammers but if it was a phishing campaign then it was sustained, targeted, and made life very difficult for musicians plying their trade.

Meanwhile, it would have been very handy if Justin Timberlake had brought Sexyback in 2007 instead, because I could have used it to work in a reference to another spate of high-profile compromises. The N*Sync golden boy fell victim to defacements, alongside Hilary Duff and Tila Tequila (if you weren’t nostalgically flopping around in 2007, you definitely are now). These attacks were much more about a sense of “look what we can do,” as opposed any financial gain, and that trend definitely began a steady curve upwards as we limp into 2008.

2008: Trolling, tracking, and hacks

Okay, the DeLorean is somewhat ablaze, and I’ve lost my novelty Tom bobblehead down the back of the seat, but we’re still mostly in one piece. Hunger Games is all the rage in bookstores, Katy Perry is all over the charts, and The Dark Knight is the best chaos-laden Batman movie you’ll ever see (no really, it is). Speaking of chaos…

Myspace had a big problem with troll groups, some of whom I covered in an IRISSCON talk last year. Back then, there weren’t many online sources of help for things like suicide prevention, drug addiction, or other forms of abuse. Myspace groups were, for many, the go-to place for help and advice. Trolls would show up and bomb the boards with gore pictures and worse, and many of the support groups set their boards to private, making them harder to find.

You know what’s bad? Support groups that are hard to find.

After the boards went into lockdown, someone coded up something called the Lottery Browser, which allowed you to click a button and be dumped into a private group at random. Things became problematic quite quickly after that. Harassment campaigns, targeted attacks, even some individuals who kept a sort of “suicide scoreboard,” claiming they were trying to encourage people to kill themselves for Internet kudos points. Myspace eventually fixed this one, too.

An offshoot from the same group created a few lines of code allowing someone visiting your Myspace profile to be auto-subscribed to your video channel. In practice, this meant that you could see, at a glance, if security researchers or law enforcement were checking you out. This was very common on Myspace, and many local law enforcement officers would create profiles and friend people in their area. Nothing says “burn your hard drives” like Officer Jones showing up on your follow list if you’re up to no good.

Myspace had actually blocked most, if not all, IP trackers on profiles, meaning someone couldn’t send you a bogus link and grab an IP. However, it’s arguably more useful to know specifically who is being subscribed to your video list. One of the solutions to this was adding the video portion of the Myspace URL to your hosts file; Myspace eventually fixed this, too, after I brought it to their attention.

In short, things were a bit of a mess, and while social networks of the time had slowly come to terms with malware attacks and adware vendors, the less visible types of social engineering/trolling were a tough nut to crack.

2009: Goodbye Myspace, Hello Facebook

We’ve done it now. The DeLorean is on fire and the book charts are awash with more Hunger Games and Maze Runners. I refuse to watch Avatar, and Beyonce is all about putting a ring on it. I’m trapped in a land of people slowly losing interest in Myspace, while the “like” counter continues to rise for the somewhat cooler juggernaut that is Facebook.

Look, I am definitely not watching Avatar.

Instead, let me direct you to a diagnosis, because Dr. Boyd detects a terminal lack of Myspace scams in exchange for…Facebook privacy control concerns! Honesty boxes! Phishing! These examples are anecdotal and specific to my own research, but in general 2009 felt like a shift away from the elder network onto a portal increasingly holding all the cards. I’m not sure when I wrote my last batch of “lots of problems on Myspace, and here they are” blog posts, but at this point Facebook and Twitter were the places to be. Sorry, Tom.

No stone left unturned

Actually, we have a dump-truck sized stack of rocks we haven’t poked yet. I didn’t get chance to mention 2005’s Samy worm, the near half a million “private” photos that appeared in a Torrent, the 20 year long collection of independent privacy assessments, or…well…you get the idea.

I love social networks. I think they’re great, for the most part. But the ones we have now probably have just as many problems as the sites we’ve abandoned. The specifics may differ, but ultimately none of them are perfect, and the notion that everything was ideal back in the day is a potentially dangerous one.

Those who ignore history are doomed to stand around next to a crater-shaped DeLorean complaining about Avatar. Thankfully, the music is great.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.