+ Reply to Thread
Results 1 to 8 of 8

Thread: Twitter - YellowFrog - Spyware?

  1. #1
    Rift Disciple BoneCrusher's Avatar
    Join Date
    Nov 2010
    Location
    Maryland USA
    Posts
    164

    Default Twitter - YellowFrog - Spyware?

    So I've been noticing lately that whenever I complete and achievement, my twitter page gets updated with a link to yellow frog (YF is a image hosting site) showing the screen shot the game took. I really like this function but when I click the image to expand it, I get numerous alarms from ZoneAlarm and SEP about "Fake AV webpage request detected". In other words clicking the image to resize it, is redirecting you to a spyware page. I've done this on a couple of computers already with the same results. Is anyone else having these problems?

    Trion - You may want to have your security team look into this.... With all the hacked accounts this could be one of the contributors to that....
    I thought what I'd do was, I'd pretend I was one of those deaf-mutes...
    Avonos - ... but this is beta and everything including your underwear is subject to change...

  2. #2
    Ascendant ThatTomGuy's Avatar
    Join Date
    Feb 2011
    Location
    Seattle
    Posts
    2,306

    Default

    Quote Originally Posted by BoneCrusher View Post
    So I've been noticing lately that whenever I complete and achievement, my twitter page gets updated with a link to yellow frog (YF is a image hosting site) showing the screen shot the game took. I really like this function but when I click the image to expand it, I get numerous alarms from ZoneAlarm and SEP about "Fake AV webpage request detected". In other words clicking the image to resize it, is redirecting you to a spyware page. I've done this on a couple of computers already with the same results. Is anyone else having these problems?

    Trion - You may want to have your security team look into this.... With all the hacked accounts this could be one of the contributors to that....
    Can you give me a link to the page its sending to (the image hosting)? I wanted to check it out and test some but i cant find them via google, and i dont use twitter myself

  3. #3
    Rift Disciple BoneCrusher's Avatar
    Join Date
    Nov 2010
    Location
    Maryland USA
    Posts
    164

    Default

    Let me see if ZoneAlarm or SEP keeps logs and I'll post it .....
    I thought what I'd do was, I'd pretend I was one of those deaf-mutes...
    Avonos - ... but this is beta and everything including your underwear is subject to change...

  4. #4
    Rift Disciple BoneCrusher's Avatar
    Join Date
    Nov 2010
    Location
    Maryland USA
    Posts
    164

    Default

    SEP -

    Event Type - Intrusion Prevention
    Severity - Critical
    Direction - Outgoing
    Protocol - TCP
    Remote Host - 46.105.45.15

    Info: [SID: 23560] HTTP Fake Antivirus WebPage Request 2 detected.
    Traffic has been blocked from this application:

    Still looking over the ZoneAlarm logs .......... but I'm sure its the same ..
    I thought what I'd do was, I'd pretend I was one of those deaf-mutes...
    Avonos - ... but this is beta and everything including your underwear is subject to change...

  5. #5
    Ascendant ThatTomGuy's Avatar
    Join Date
    Feb 2011
    Location
    Seattle
    Posts
    2,306

    Default

    Quote Originally Posted by BoneCrusher View Post
    SEP -

    Event Type - Intrusion Prevention
    Severity - Critical
    Direction - Outgoing
    Protocol - TCP
    Remote Host - 46.105.45.15

    Info: [SID: 23560] HTTP Fake Antivirus WebPage Request 2 detected.
    Traffic has been blocked from this application:

    Still looking over the ZoneAlarm logs .......... but I'm sure its the same ..
    I dont think that ip 46.105.45.15 is part of yellow frog. Was looking for a link to yellow frog itself. Wanting to see if its yellow frog or if they have been compromised and a call to that ip inserted.

    Im sure that ip isnt yellow frog since when i try to go to that ip itself i get an error instead of a webpage

    403 Forbidden

    You don't have permission to access / on this server.

  6. #6
    Rift Disciple BoneCrusher's Avatar
    Join Date
    Nov 2010
    Location
    Maryland USA
    Posts
    164

    Default

    Yeah had the same thing here... I'm gonna dig a lil bit further.. Tks for the help though ..
    I thought what I'd do was, I'd pretend I was one of those deaf-mutes...
    Avonos - ... but this is beta and everything including your underwear is subject to change...

  7. #7
    Rift Disciple Misterlister's Avatar
    Join Date
    Jan 2011
    Location
    Valley of the Sun
    Posts
    142

    Default

    The roommate and I noticed something...strange going on as well.

    The links would send us to different pages.

    One with the yfrog frog logo, one with a logo made of 6 colored speech bubbles in a circle.

    The frog logo page loads fine when trying to zoom in, the other doesn't.

    I just get a "http://yfrog.com/z/undefined" blank page.
    KILL THE DUDE WITH THE THING!
    http://www.dansopel.com/mourkain_lesson.jpg

  8. #8
    Plane Touched Vyld's Avatar
    Join Date
    Dec 2010
    Location
    Dallas, TX
    Posts
    155

    Default

    Two things:

    First, ZoneAlarm is a rather crappy piece of Software. It's nototrious for opening more holes than it closes, and it has a tendency to pop up warnings JUST to make you feel safe. Kind of like a bodyguard screaming "gun" for no reason every few minutes and tossing you to the ground to remind you he's here and entice you to hire his brother, too.

    Secondly, the warning you see is one of a contentious nature. No, you have not found spyware or the like. The ad provider used by yfrog also used to serve so-called ScareAds. You know the kind, the one that pop up a window saying "your computer is at risk" and try to entice you into downloading some kind of virus scanner which, often, is not malicious by itself but also asks you to pay up $20 or so for the full version and does nothing. Since ZoneAlarm doesn't like it when anyone but them does it, they're blocking others from doing it (ZoneAlarm is notorious for doing this, one case was rather bad: http://www.theregister.co.uk/2010/09...lware_warning/).

    The IP that is accessed belongs to OVH a huge hoster in France (kind of like Level 3 or the former GlobalCenter Exodus, now Savvys, in America).

    So, two things again: no, you're not in danger, ZA warns you that the ad provider used by yfrog also used to run "your computer is at danger" ads (they did for a week but stopped the second they realized what it was. Funnily enough, it's also the ad provider running all the RIFT ads, because they do the animated versions you see rather well , and, yes, ZA is overreacting.
    Please, for all that is worthy and the love of Odin, it's not "LUA" or "LuA", it's "Lua". Like the moon. In Portuguese.

+ Reply to Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts