MySpace Phishing Attack = Imagination > Knowledge

MySpace Phishing Attack = Imagination > Knowledge


On October 27, 2006, social networking website, MySpace.com was the target of a phishing attack for a few hours. The attack was interesting not so much because of its technical prowess, but because the attackers were imaginative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.

The attackers were able to create a login page located at http://www.myspace.com/login_home_index_html, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.

How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple, and yet, pretty clever. They registered an account with MySpace.com with the user ID “login_home_index_html”. Now, the page hosted at "http://www.myspace.com/login_home_index_html" automatically became their login page.

What makes this attack so remarkable was that the attackers did not have to be familiar with the bevy of tricks one might use to make a site look believable. They didn’t exploit a browser vulnerability, they didn’t hack into a Web server to host the page, and they didn’t compromise the domain name system (DNS). The attackers just exercised their imagination and came up with a very simple phishing site that does the trick. Einstein was definitely on to something when he said “Imagination is more important than knowledge.”

This attack differs somewhat from your typical phishing attack. Here, phishers were hosting a legitimately created page claiming to be a MySpace login page on the MySpace site itself. They could instantly take advantage of the fact that the MySpace name would be displayed prominently on the browser’s address bar. That alone would make the site seem that much more believable. The phishers did not have to go out of their way to achieve the right look and feel – that was just there by default.

One question to consider is, why someone would be interested in gathering the usernames and passwords of MySpace users? There are a couple of reasons. First, some users who surf on MySpace are more likely to let their guard down when looking at their friends’ pages. Consequently, a compromised MySpace page could succesfully lead an unsuspecting victim to malicious software like a keystroke logger. Second, users may use the same login ID and password for multiple accounts. Therefore, if an attacker has a user’s MySpace credentials, he or she may be able to use them in other places, like banks or credit card sites.

Overall, this phishing attack caught my attention not because of its technical sophistication, but because the attackers were imaginative. Just as attackers are getting more creative in designing their sites, we must also get more creative in how we detect and defend against them.