MySpace Accounts Compromised By Phishers

An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.

Maybe I caused the slow discovery

[AVryhof]

Maybe it's been my fault it's taken so long to "discover"

I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.

I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.

Re:

[Anonymous Coward]

Yes, all the internets depend on you for security. Please, think of the children next time and stop reporting security holes.

Re:

[Packt]

"Dear diary... mood? Apathetic."

Re:

[Anonymous Coward]

Jep, the testosterone is definitely tumbling....

Re:

[drpimp]

No shit I just slapped myself after doing just that ... MOD ME DOWN and burn me at the stake!

They need to get that fixed ASAP

[Average_Joe_Sixpack]

Widespread exploitation of myspace could cause up to $6 dollars in damages

Re:

[wiz31337]

How could someone mistake comedy gold for a troll?!

Re:

[definate]

You sir, are a literary genius!

Finally

[1310nm]

Keep up the good work, phishers!

The secrets of apathetic teens will soon be aired for the world to view!

Not quite.

[Anonymous Coward]

"Despite public perception, most MySpace users are over 35, according to a release today [05 Oct 2006] by ComScore. The stat-tracking company says that as MySpace continues to grow, its user base is skewing older - teens accounted for around 25% of users in August 2005, but now only represent 12% of the audience. Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year."

http://www.comscore.com/press/release.asp?press=10 19 [comscore.com]

Re:Not quite.

[Fred_A]

Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year.

So it's TheirSpace now ?

Re:

[1310nm]

Guess I should have just called them "narcissists" instead of "apathetic teens".

Re:

[5of0]

But how many of these over-35ers are actually over 35? And how many are over 100? Is there any accountability check as to the ages? Looking at their article, they're counting unique visitors - did they pop up a little box that said "Hey, how old are you?" A very important part is that it says "MySpace Visitors" - not users. So not users, but parents checking up on their little users, or pedophiles looking for their next victim. This just means Xanga is less browsed by those types. Anyone else see this?

You're thinking of Livejournal..

[Channard]

.. which seems to be the most popular with the angsty crowd. MySpace, on the other hand, is the single largest concentration of insanity, drama and nonsense ever, surpassing even LJ. I'm not kidding - just try browsing through some of the comments and profiles on MySpace and you'll lose all faith in humanity in the space of about five minutes.

Re:

[RobertLTux]

besides if you really wanted to do this right you would have

1 a real like paid domain ------- got that myself
2 a real like paid hosting agreement ----- i use imagelinkusa.net myself
3 some actual html skills (or some sanish tools)
if you want to use some crawling horror like Myspace setup some sort of Zen profile and LINK YOUR DOMAIN

(funny thing is mySpace is blocked by at least one company)

Re:

[BoomerSooner]

Why did you have faith in humanity in the first place?\

Just curious...

You can view the horrible phishing status for free

[Anonymous Coward]

OpenDNS people started http://phishtank.com/ [phishtank.com] service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.

Netcraft confirms

[Aexia]

MySpace is dying

Re:

[zlogic]

This is a joke,not flamebait - TFA is hosted on Netcraft.

So Much for IE7's Anti-Phishing

[mpapet]

As much as they will beat this feature to death over the next few months, it will only deter the least sophisticated methods. Most of which are already history.

Meanwhile "web 2.0" applications will suffer phishing attacks anyway because the 2.0 complexity offers so many new ways to do bad things.

Today myspace, tomorrow your web 2.0 bank? Google 2.0 application?

I'm not saying progress is bad. But there's no penalty/liability for writing insecure web 2.0 apps.

Re:

[d3ik]

If you're implying that MySpace is Web 2.0 I'd have to disagree. MySpace may be great for 'social networking', but from a technical point of view it's a nightmare. Malformed HTML, non-degradable Javascript, code injection issues... it's like a bad joke.

Re:

[thePowerOfGrayskull]

Another enlightened Myspace user...

Re:

[John Hasler]

> MySpace may be great for 'social networking', but from a technical point of
> view it's a nightmare. Malformed HTML, non-degradable Javascript, code
> injection issues...

In other words, Web 2.0.

It's dead...

[corychristison]

http://www.myspace.com/login_home_index_html [myspace.com]

Seems Myspace has fixed it. Not that I really care, as I've never used it nor do I have any intention to.

Next!?

Re:

[Anonymous Coward]

Seems Myspace has fixed it.

No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.

Expect to see a large number of variations on this to show up in the next few days/weeks.

NOT on Myspace's MAIN PAGE

[kihjin]

FTA:

The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.

So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.

Re:

[Extide]

Maybe you didnt notice the URL the spoof is at http://www.myspace.com/login_home_index_html [myspace.com]

Re:

[kihjin]

Yes, I noticed that.

I also noticed that the summary doesn't make any mention of it being a profile page. The article itself doesn't tell you it's a profile page until much further down. Seems like this would be the first thing to point out.

Based on the summary, I got the impression that you would be presented with the false login form if you went to http://www.myspace.com/ [myspace.com]

Re:

[m3000]

This makes far more sense now. I also thought it was implying the server was hacked and phishers put up a fake login on the main page.

So while still a serious problem, it won't affect near as many people.

Re:

[4D6963]

Security conscious people use MySpace? Who knew...

There's even a Slashdot group [myspace.com] on it actually. And as security concious as I am, I didn't see what was wrong with the two first example screenshots on Tom's blog about phishing [myspace.com], I think that if I went through one of these fake login-page profiles I might have fell for it, just because I don't expect to get phishing from a page on the genuine site itselves. Lots of people in my MySpace friends fell for it, and almost half of the bulletins in my bulletins lis

Re:

[doormat]

Indeed, but the whole use of HTML/CSS is what draws a lot of kids (and some adults) to the site is to make it really their space. The numerous myspace profile HTML/CSS generators out there make it point and click for the regular user.

I suppose they could avoid this problem in the future by stripping FORM tags from the editable parts of users profiles. That would keep this from happening again, but might break some really custom (not even recognisable) myspace pages.

Number of compromised accounts

[otisg]

With MySpace being so popular and with its users regularly logging in on a daily basis, I wonder what the impact of this was in terms of:
1) the total number of "phished" accounts
2) the number of "phished" accounts in terms of a percentage of the total userbase.

Re:

[arthurpaliden]

Possible not many since less than one third of all my space accounts are active.

Re:

[otisg]

Really? Where did you get this information? I haven't seen this information published anywhere... but would love to see where this info comes from.

Re:

[arthurpaliden]

Using a sample size of 14 Million accounts only about 4 Million were accessed within 14 days of the page being sampled and contained more that the default information. Of those the vast majority were access within 3 days of the sample date. This rate remains fairly constant throughtout the the user space starting with the first users.

Re:

[otisg]

This is an experiment you performed on your own?

Re:

[arthurpaliden]

Yes. I did it originally to see the age distribution of the users to see if it really was populated by teenagers who identify themselves as 12-15 year old girls and therefore be an easy hunting ground for the dreaded pedophiles. Well this is what I found:

MySpace Age Ranges By Gender As Indicated By Users
Age Range % Male % Female % Total

12 to 15 0.0007 0.0012 0.0019
16 to 18 9.25 12.39 21.64
19 to 21 11.64 12.29 23.93
22 to 35 22.90 18.00 40.90
36 to 55

Re:

[Siroro]

I used to host a free web hosting service. And as you can imagine it did attract some unsavoury characters - one of the accounts was used as a MySpace phishing account, it was only on-line for 1-2 days before I managed to catch and ban the account, but in this time it did manage to obtain details for over 2000 individual logins - whether or not all of these credentials worked or not I can't say for sure. I tried contacting MySpace offering over these credentials but I didn't receive an e-mail back.

someone should tell the phishers

[kbox]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

Re:

[otisg]

You clearly didn't read the Washington Post article.

The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

That's why even a free MySpace is a good target. As a matter of fact, MySpace is an excellent target because it has highly loyal and extremely active users who log into MySpace multiple times a day. This means that if the phishers' crack stays

Re:

[phillymjs]

Because they could edit MySpace pages to include code that does silent, drive-by malware installs on the machine of anyone that pulls up that page on an ill-maintained Windows box. Those machines would get pwned and could then have keyloggers installed on them to gather more useful info, or could be used to send spam, perform DoS attacks, etc.

Yes, the phishers could create MySpace accounts/pages from scratch, but their work pays off much more quickly if they co-opt the pages of frequent users with large, we

Re:

[Fred_A]

The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

Ah yes but mom and dad would do so with a different account and password and home directory, right ?
Huh ? Right ?

Guys ?

Re:

[InsertCleverUsername]

Yeah... I certainly had to read the Post article. My first thought on the story was "Phish a MySpace account?!? That's like an elaborate plot to steal manure!"

Re:

[theLOUDroom]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

People login to myspace with an email address and password.

If a person used the same password for their email, then not only is their email comprimised, but via their email, the attacker gets a list of other potential sites to try.

I would be extra suspicious of strange behaviour by ebay users for example. What is especially insidious about this is that once you've got someone's email account, you can run

Re:

[4D6963]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

There's actually a great interest in it. Because when you're an average user, unaware of that whole phishing thing, and that bulletins one of your favourite singers or friends say "~New Ring tones Adults can't hear! Download Today*", linking to a website to supposedly download them, you're much more likely to click, thinking it was advised to you by someone real (a "friend" or an artist you like), than when you

Re:

[prodangle]

According to Tom [myspace.com] (the guy who runs Myspace, I think) spammers can use login credentials to send spam to friends of a user. There are also screenshots on Tom's blogpost - it seems the best workaround so far is instructing users to type myspace into the address bar themselves before logging in.

This one got me...

[billyjoeray]

I clicked a myspace profile link in a friends bulletin which sent me to what I thought was the login page (I failed to check that hostname was indeed login.myspace.com) The login didn't appear to work and I attributed it to myspace being down at the time. It wasn't till later that I noticed I had posted a similar bulletin with a similar link (though that profile was already dead by the time I checked it). As far as I can tell the only thing they did was post a bulletin to try to get more accounts. I was abl

Re:

[SheeEttin]

What's even funnier is when you make an example phishing site and clearly mark it as phishing... and people still enter their information.

True story... and I posted it on a forum wher you don't want to click any links.

(Captcha: mourning... I am, indeed, for today's security.)

Using the same username/password everywhere

[GayBliss]

Another danger of getting username/password combinations is that so many people use the same username/password EVERYWHERE. Once a thief gets the username/password for ANY site, even a completely useless site with nothing of value, they could then do a systematic login attempt at all the common sites and banks where you might be able to do some real damage.

Phishing + SSL

[TheUni]

It's not these little phishing sites that scare me, it's the banking\credit union sites. For example, http://www.wamucards.com/ [wamucards.com] (DON'T ENTER YOUR INFO HERE!).

How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 [slashdot.org] In cases like these, i guess it makes sense

Re:

[baadger]

How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 [slashdot.org] 6225 In cases like these, i guess it makes sense

When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

Besides, Verisig

Re:

[LO0G]

I'm confused. Here's the domain registration for wamucards.com:
Registrant:
Washington Mutual, Inc. (DOM-1398425)
1201 3rd Ave Seattle WA 98101 US

Domain Name: wamucards.com

Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com/ [markmonitor.com]

Administrative Contact:

First off...

[rivetgeek]

This is really old news. Phishers have been around myspace for ever. They used to use embedded flash with action script to redirect and myspace upgraded to flash 9 which allows the server to restrict flash redirects ( a feature added at myspace's request). They mostly use the phished accounts for myspace spamming and botnet-worm distribution.

This wouldn't have happened

[Rik Sweeney]

if people had just installed Firefox 2

nothing new...

[r0ni]

My girlfriends account was compromised like this about a month ago. She tried telling me the Mac has a virus (really). I made her change her password and now I periodically do a "Reset Safari" on 'her' browser.

I haven't noticed any strange posts by her or anything since the initial attack, so it seems it's a one time only type deal. Of course, a attack like this could be potentially worse, hell I wish it was worse. I wish it would have ruined her account and wouldn't let her create a new one.

The des

Re:

[r0ni]

No, but I fear that if I have to keep helping her fix her profile and she keeps telling me about this persons comment, that video, that mp3, yada, yada, yada... I might go crazy.

Taken Down?

[DavidD_CA]

I tried to visit www.myspace.com/login_home_index_html and it appears the account has been taken down.

Either that, or, that's what these scammers want us to think?

the YTMND irc channel is full of myspace phishers

[kungfujesus]

i remember when i was on the YTMND irc channel and some guy posted a link to a text file with 3k myspace logins. good times

How is MySpace leaving the hack up legal?

[Zen]

So, how long was this active, does anybody know? The netcraft article is from the 27th, and today is the 29th. I believe it's down now, but how long has it been down since Netcraft notified myspace about it? It seems very trivial for myspace web admins to verify that the code includes the specific suspect URL and to take immediate action against it. In my industry (healthcare insurance), if any leak of information or incorrect data is suspected, the websites in question are immediately taken down until

How long was it active?

[SkiifGeek]

When we first came across this information a few days ago, it was also linked to Mashable.com [mashable.com], which claims that up to 3,000 logins may have been compromised, and that they only recently became more successful in running the attack (having initially screwed up the inserted script). The other aspect is that Mashable appears to be talking about a slightly different phishing attack, which is still functional (using MySpace bulletins to spam other users).

Filtering based on blacklists (as you are suggesting M

But Why

[kahrytan]

Those who maybe wondering why Phishers used Myspace.

1. It is a good way to get information about the user
2. Good way to get information about the user's friends.
3. How many pc illiterate often use same password for multiple accounts?

I have already added the following line to my hosts files:

216.178.32.51 greentea420.iespanna.es

So ... why is this a bad thing?

[Ravear]

Hay guyz i hav this gr8 idea i tink i shud take a pikkchur of myself in da mirrur holding teh camerah at a weiurd angle isnt that original guyz? Amirite?

War is fun when you hate both sides.

Re:

[account_deleted]

Comment removed based on user account deletion

idiots fall for otherwise transparent con

[jgercken]

honestly, is this news?

I'm not surprised

[Krojack]

This just adds to the reasons why I'm glad I stopped using this service. I deleted my account on here a few months ago. I was getting sick of the fake spam/scam accounts wanting to invite me to be their "friend". Yeah I know setting my profile to non public would stop this but then it defeats the the whole part of having friends being able to find you.

Also the MySpace site is general is kinda clunky.. Looks like some high school kids project thats still learning HTML. Another words it look like crap. I