The scam begins when AOL Instant Messenger users receive a hyperlink promising new photos from someone in their contact list. But clinking the link leads the victim to a bogus California-based website that spoofs the MySpace.com log-in page, according to a Websense Security Labs alert. The fraudulent site captures MySpace usernames and passwords, and then forwards users to the real site.
The malicious attacker can then access the victim’s personal information, such as address and birthdates, stored on their MySpace account. The scam has since been shut down, Websense officials said in published reports.
Accessing the fake site also automatically installs a cookie on the victim’s computer, preventing the phishing attack from being displayed on future MySpace visits, the Websense alert said.
The more than 70 million users of MySpace, one of the world’s most visited websites, are becoming an increasingly attractive target for malicious attackers, experts have said.
The site, owned by Fox Interactive Media, recently hired its first CSO to improve safety and security.