The page was created using specially crafted HTML to eliminate the normal appearance of a user profile and instead resemble the real MySpace log-in page, according to internet monitoring firm Netcraft. Users would arrive at the page by following a phishing link.
"What this guy figured out is a way to obliterate all the MySpace content and replace it with all his content," Tod Beardsley, lead counterfraud engineer at TippingPoint, told SCMagazine.com today. "We don't know how the link was getting propagated."
MySpace allows users to customise their profile's URL, and in this case, the malicious attackers created a legitimate sounding domain name for signing on.
However the fraudulent page was harvesting log-in details and communicating with a server in France, Paul Mutton, Netcraft's internet services developer, said Friday in a blog post.
The danger lies in MySpace users who use the same log-in information for their email services and online bank accounts, Beardsley said.
"I suppose the advice to users is don't share passwords between accounts," he said. "You want to compartmentalise passwords because if one gets compromised, you don't get owned across the board."
With more than 100 million members and in the global top 10 of most visited websites, MySpace increasingly has become an attractive target for the malicious community, looking to take advantage of a young user set that is more trusting and less security minded than older generations.
"As a demographic, they have no fear at all," Beardsley said. "MySpace seems trivial and fun and (users) click on anything because they're interested in meeting people. But if you're able to leverage MySpace to do something evil, that's a big user base."
But there is also growing concern for security at the enterprise level, as older users flock toward the allure of social networking.
MySpace, purchased in 2005 by News Corp. for $580 USDmillion, suggests on its site that users do not reply to email or pop-up messages that seek personal or financial information, or click on links found in such messages.
Click here to email Dan Kaplan.
Password-stealing MySpace log-in page removed
By Dan Kaplan on Oct 30, 2006 4:50PM