MySpace Phishing
Posted by Aaron Weber on May 1, 2007 04:19 PM
Breaking into someone else's MySpace account has gotten a lot of press recently, with a nasty fight between celebrity hotties Shanna Moakler, Lindsay Lohan, and Paris Hilton. But assuming you're not Paris, why would anyone want your MySpace password? And assuming you're smarter than Paris and don't use your dog's name, how would they get that password?
Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.
To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Replace the word 'colon' to visit this page. We recommend using a virtual machine to visit.) Clicks can then direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.
About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.
To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.
Comments
It's increasingly important that people get used to using a password manager - it's the only way to be able to have a unique, strong password for every single website - and not have to worry about remembering them.
...
There are plenty of programs out there, many free. So choose - and use - a password manager.
...
Posted by: Tara Kelly (PassPack) | May 1, 2007 04:45 PM
There is a real danger of phishing, I am getting few emails a week asking me to log on to a bank account that I don't even have.
Posted by: Adrian C | May 13, 2007 04:51 PM
I think that if somebody wants to have a mypsace that bad they should at least have a really good password!
Posted by: Alyssa | May 23, 2007 10:12 PM
Well it's not just Myspace. People can hack into your other accounts too. I agree with what Tara Kelly said. Just make a very Strong Password, and use the Password Manager to Save it. I use Roboform, and it's really Good, so Download it. Websites tell you to make Strong Passwords, and they say don't use anything easy for others to know, so yeah. People are finding ways to hack into peoples Accounts for mostly all Sites, so make a Stronger Password
Posted by: Charles | May 30, 2007 01:27 PM
Creating different names for login and email will perhaps deter attackers from breaking in.
Clara
Posted by: Tips Of All Sorts | June 5, 2007 02:33 AM
I have two daughters. They both had their myspace accounts phished this week. I recreated another one for them and that one was phished too. It is VERY frustrating. What are they doing wrong? They don't use the emails associated with myspace. Not sure how they keep getting their information.
Posted by: Kathy | August 21, 2007 01:54 PM
Good article, thanks for putting the tips to avoid phishers out there. Unfortunately, phishing is so rampant on myspace! I receive comments and bulletins daily from people whos accounts have obviously been phished. I don't know if people realize the real dangers of someone obtaining your password--it's not just sending obscene bulletins to your friends, your credit and personal information could be at stake as well!
Posted by: Cleanup Crew | September 14, 2007 02:02 PM
This Will defenetly help me while i am learning to use the new compter.
Posted by: amy flack | September 27, 2007 09:29 AM
Right now the common phish tactic is a picture from a myspace video clip and you click on it to play but its actually a hyperlink to www.rnyspace.com where you'll get a login prompt. After putting in your info it'll then store it and redirect you back to the real myspace. Then the program logs in as you and leaves the picture comments on your top 8 people in hopes of trying to get your friends to click on it.
Posted by: Joe | October 3, 2007 12:54 PM