McAfee SiteAdvisor Blog

Breaking into someone else's MySpace account has gotten a lot of press recently, with a nasty fight between celebrity hotties Shanna Moakler, Lindsay Lohan, and Paris Hilton. But assuming you're not Paris, why would anyone want your MySpace password? And assuming you're smarter than Paris and don't use your dog's name, how would they get that password?

Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.

To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Caution! Don't click on anything in this page.) making any click direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.

About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.

To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.