Phishing's new target: MySpace

Filed under: Security, Web services, Social Software

Phishing's new target: MySpace

by Jordan Running Oct 30th 2006

Thought phishing was just a problem for banks and PayPal, did you? Well, it's entered a new territory: MySpace. And it's got some new tricks up its sleeve. MySpace's iconic Tom Anderson has made a post describing the new attacks that con users into divulging their MySpace username and password. What's interesting about the attacks is that, unlike most phishing sites that must exist on a site other than the official site and whose fake URLs need a keen eye to be identified), these exploit MySpace's customization features to make an ordinary profile at profile.myspace.com look exactly like the official login page. You can see a screenshot of one such phishing profile here. You'll notice that the URL begins with profile.myspace.com rather than the legitimate login.myspace.com, but the page is otherwise indistinguishable from an ordinary MySpace login prompt.

So what are evil phishers using those passwords it collects for? Spamming, of course. Once a phisher has a user's login info they use them to post spam comments and send spam bulletins to that user's friends. How original.

Anderson's advice to MySpace users is that whenever they see a login form they should go to www.myspace.com instead of entering their username and password, which is, in my opinion, no solution at all. It just compounds MySpace's already-jarring interface problems. By allowing arbitrary CSS in MySpace profiles, MySpace has created a huge problem for itself that's going to take a very creative solution.

Tags: login, myspace, phishing, security, tom anderson, TomAnderson

Reader Comments (Page 1 of 1)

Christopher Higgins said 4:13PM on 10-30-2006

This isn't necessarily new, the warning has been in place for quiet some time now. It's only become a major problem in recent time, where phishers send dozens of spam bulletins and spam group message boards.

The best thing for anyone to do is to change their MySpace password (and e-mail password, as many people have the same password for both).

Nicholas said 10:07PM on 10-30-2006

The best thing to do is to just ditch MySpace completely. Block it from your network.

http://www.pdsys.org/blog/2006/10/25/MySpaceSucks.aspx

Sanjay Goel said 3:17AM on 10-31-2006

MySpace should also adapt the phishing protection mechanism similar to yahoo. Yahoo Login screen now has a provision to create a text seal which is unique to your machine. This way all these fake login screens can be easily detected.

Paim said 12:39PM on 10-31-2006

Im with that guy in ditching myspace completely. And deleting it from the net.

Featured Time Waster

Civiballs is a beautiful, soothing physics puzzle Time Waster

I have an absolute weakness for physics games, and while Civiballs isn't the strongest physics-based game, what it lacks in the physics department it makes up for a few times over in style and fun.

In Civiballs, you are presented with a few colored balls, and your goal is to get those balls into the same-colored urn on the level. The "civi" part of Civiballs is that there are 3 sets of levels to play, each representing a different civilization. While the civilization doesn't affect gameplay, the artwork for each level is beautifully themed to it's appropriate era.

To play the game, you are given only one tool - a sword with which to cut the chains that are holding the balls. The puzzle part of the game is in figuring out what order, and with what timing to cut each chain. Do it right, and all the right balls end up in the right urns, with no stray balls entering an urn (a no-no). Do it wrong, and you get to start over again.

Civiballs is not terribly deep on gameplay; the entire game can be completed in about 15 minutes. But if you enjoy this type of game, it will be a very enjoyable 15 minutes.

View more Time Wasters