MySpace is particularly vulnerable to phishing since their users are likely to be less cautious about logging in to a myspace account than someone who whose intention is to log into their personal bank account thus making them an easier victim.

Additionally, given the broad range of socio-economic profiles that use MySpace services (a user can be as young as 14), there is a significant percentage of MySpace users that are unaware of the problems of phishing, how to detect it, or that may not have much knowledge about internet safety.

The scheme described below is one of many different types, though one that appears to be on the rise. A special myspace.com phishing awareness page will soon be added to the SpamWiki detailing the numerous known phishing schemes.

How this scam works works:

Step 1. Setting up the fake login page

The phisher registers a domain name at a domain name registrar that he or she believes will be slow to reply to an abuse complaint. This domain name that they will register will resemble a string of code, such as a12e53cE.com.

Then, the phisher creates a masked web forwarding address for the domain name that is based on a subdomain or a catch-all. This way, when one visits any URL that is based off of the domain name of the domain name that was just created, they will be forwarded to another website (where the actual identity theft will occur).

For example, to an inattentive user, the following link may appear to be a legitimate MySpace login page, especially since in the URL address bar of the web browser only the first half may be visible:

http://login.myspace.cfm.fuseaction.splash.mytoken.76701a26.da3e.44a3.a17b.76701.a17b.959e3c5a151271a26.da3e.44a376701.a12e53cE.com

However, as you can see, the above link really belongs to the phishing domain, a12e53cE.com, and has nothing whatsoever to do with myspace.com. This is because URLs are read from right to left. The phisher is counting on this lack of knowledge of the victim.

Step 2. Forwarding to the site where the victim's information is stolen

Presently, the domain name, loginmyspaceses.com (registered at Bejing Innovative, or other similar domain such as myispaceses.com) is used for a phishing botnet against the website myspace.com. Its present nameservers are:

ns5.sweeuetharts.net
ns3.sweeuetharts.net
ns2.sweeuetharts.net
ns1.sweeuetharts.net

NOTE: All of the above nameservers have had their glue records erased by Gandi by having them set to the black hole IP of 217.70.185.0, thus rendering the DNS inactive. As long as loginmyspaceses.com uses these DNS, the domain cannot be used.

Nameservers used for this 'root' domain often involve a set of 5 round-robin nameservers, with a spelling that often has repeated vowels or consonants, such as the now suspended apppplepieee.net.

When forwarded to this website, the user will still see the original URL in the bar (if they arrived via masked forwarding) and yet the user will see the content of the new website (see a sample website connection activity log). From this page, all the links will take the user to the real MySpace.com website, and so the user/victim would never know that he or she was on a fake website.

Step 3. Stealing the user's login codes

The actual theft occurs when the user enters his or her in the fake myspace login area on this page. There will be a fake login area, that looks nearly identical to the authentic one:

Fake MySpace login

When the user posts the data (see activity log), one copy is sent to the phisher, and another copy is sent to myspace.com, where the user will continue to use their service as normal.

Because the code on the phishing website (ex. loginmyspaceses.com) will post the login data to the real MySpace website as well, the user will successfully log into the real website, thus never being aware that he or she was on a fake site, and had personal information stolen.

Conclusion:

While the example discussed here pertains to MySpace phishing, it is equally applicable to any other website that asks users to enter their login codes before accessing their personal content or area. It is especially effective with MySpace users, however given the large percentage of their customers that are not well-versed in internet safety.

While the MySpace codes themselves may not be of great interest to the phishers, many people use the same codes and passwords for creating Ebay or PayPal accounts, etc. which are indeed of interest to the phisher.

To successfully shut down such a scheme requires a combination of items:

  • Education: It is imperative that all users of the internet at least become suspicious of phishing, and at best know how to identify it.

Users must know how to clearly identify that they are logging into the authentic MySpace website, and not a fake. There is a very educative site for MySpace phishing at the Spamhuntress blog.

On the subject of user education, it is important that users of these services choose passwords that are not the same as ones used for other services. Such as using a myspace password that is the same as a hotmail or gmail password. Knowing the email account given on a myspace page, it is logical to assume the hacker will attempt to log into that account with the phished password to search for banking and personal emails that may lead to more valuable logons.

Additionally, there are plug-ins to browsers that can warn users about this type of forwarding and provide increased security by restricting certain sites and scripting. For example:

IE 6 and 7:

Build in phish filter (don't use IE myself)

Both IE and Firefox:

McAfee (SiteAdvisor) plugin Spybot Search and Destroy provides a list of unsafe sites for installation in windows restricted zones

  • Complaining to registrars: In the phishing scheme described in this blog entry, there are possibly four different registrars that can be contacted to file an abuse complaint:

1. The registrar of the phishing website (ex. loginmyspaceses.com)
2. The registrar of the nameservers for the phishing website
3. The registrar of the domain used to forward to the phishing website
4. The registrar of the nameservers for the forwarding website

The successful shutting-down of any of the above domains will cause a disruption in the phishing scheme. The most effective suspension would be of the phishing website (1) as that would render all the other domains inactive. Shutting down the nameservers of the phishing domain will temporarily take off the phishing website until the DNS are changed.

This being said, shutting down the forwarding domain will only close one "branch" of the phishing scheme (there may be hundreds), and while less effective, is nevertheless important - especially if the registrar that sponsors the phishing domain is unresponsive to complaints.

  • Improved security on the MySpace website. MySpace and other pages could improve security by using cookies and variable questions, or even prompts set by the user. Requiring a user name, password, and security question, would thwart the phisher.
  • Complaining to the web host of the phishing website. Since the phishing site is using copyrighted material for illicit use, they may be brought to task for copyright infringement.

If you spot any MySpace phishing schemes that are different than the one described above, please send full a description of it (be sure to include all URLs and headers) to: myspace(-at-)spamtrackers.eu, or post a descripion of it in the spamtrackers' forum, here.

Forseti, and DougW contributed to this article. Special thanks to Jane.