Why phish myspace?
August 4, 2006
Bear with my geek for a moment if you can stomach it, I just found a soapbox and I’m dying to use it.
First they get your username and password for myspace. Then they start spamming all of us with these ridiculous bulletins. We click on them because we are your friends and we trust you. They, the spammers, do that to get our email addresses. To hock their wares. Basically because there probably isn’t much, if anything, in the way of anti-spam on the myspace servers. Because maybe if they get your email address and they know that your friend didn’t notice that the URL didn’t say myspace.com verbatim when it prompted them with, “oops you must be logged in,” you might not notice if they sent you an email claiming to be from your bank or mobile phone provider or who knows what these days. Even if you are really good and the URL seems to be on the right site, someone could being pulling strings with that site and URL to dupe you.
After researching a bit, the flash worm may not be the cause of the recent wave of bulletin spam, only a symptom of bad security measures and clever social engineering schemes. Hard to say. If the propaganda site pull the “oops” trick who knows how many people doofed and figured myspace had hicupped and that was why the login prompt came up unexpectedly.
So please my friends. Be careful and observant. If you get prompted to login right after clicking on a link in the bulletin stop and think about the fact that you had to be logged in to see the bulletin in the first place. If you get an email that you aren’t expecting don’t click on the links. If you do get clicking, look at that address bar very carefully before you ever enter a username and password on any site.
October 25, 2006 at 2:23 pm
[...] You click on a link, and you are taken to what seems to be the MySpace login page. “That’s weird“, you think, “I thought I was already logged in, but what the heck“, you give your password and you get to the page you wanted to get to. In reality, the login page was not on a myspace.com server, but on a malicious site (they just used the exact same layout) and they now have your password (cf chyna.wordpress.com)! They can now use automated scripts to log in and change your profile, or to send bulletins to all your friends. This password stealing technique is also called ‘phishing’. That sounds improbable? Well: it costs $15 to send a bulletin to 100k MySpace “Friends”. Where do you think those 100.000 friends come from? A recent example: Aug 27 2006. STATUS: the only way to protect against this would be to disable external links. I don’t see that happening, so this is still something to look out for! [...]