Phishing's new target: MySpace
Thought phishing was just a problem for banks and PayPal, did you? Well, it's entered a new territory: MySpace. And it's got some new tricks up its sleeve. MySpace's iconic Tom Anderson has made a post describing the new attacks that con users into divulging their MySpace username and password. What's interesting about the attacks is that, unlike most phishing sites that must exist on a site other than the official site and whose fake URLs need a keen eye to be identified), these exploit MySpace's customization features to make an ordinary profile at profile.myspace.com look exactly like the official login page. You can see a screenshot of one such phishing profile here. You'll notice that the URL begins with profile.myspace.com rather than the legitimate login.myspace.com, but the page is otherwise indistinguishable from an ordinary MySpace login prompt.So what are evil phishers using those passwords it collects for? Spamming, of course. Once a phisher has a user's login info they use them to post spam comments and send spam bulletins to that user's friends. How original.
Anderson's advice to MySpace users is that whenever they see a login form they should go to www.myspace.com instead of entering their username and password, which is, in my opinion, no solution at all. It just compounds MySpace's already-jarring interface problems. By allowing arbitrary CSS in MySpace profiles, MySpace has created a huge problem for itself that's going to take a very creative solution.
