‘Link hack’ redirects MySpace visitors to phishing site

Security researchers at Websense have uncovered what they called a "link hack" that bypasses the attempts of social networking website to control and filter the links on its pages.

The perpetrator of the link hack has found a way to avoid's "parsing" of all links on its pages, Stephan Chenette, manager of Websense's security labs, told This parsing normally redirects all links on a profile page back to a URL, he said.

"Like any Web 2.0 website where users control the content on profile pages, MySpace attempts to control the links on its site," he said. "In this particular case, the attacker is redirecting visitors to a phishing page that looks very much like"

The danger here, he noted, is that visitors trust the links, but in this case, they're redirected to a page that contains malicious content. "That's one of the huge opportunities on Web 2.0 sites -- exploiting user trust," he said.

According to a blog posting by Websense security researcher Ali Mesdaq, the link hack technique allows an attacker to create malformed anchor tags with style attributes that cover most of the clickable page with whatever link the attacker wants. "This technique has already been detected in MySpace phishing sites, adult dating spam and other questionable activities," Mesdaq noted in the blog.

According to Mesdaq, the technique makes it easier for malicious users to steer profile visitors to an external website. As an example, an unsuspecting user might try to click on what would normally be safe links hosted on MySpace, such as the "View My: Pics" link on every profile.

Because of the link hack, however, clicking actually takes the user to an external website. The redirection "greatly improves the click rates that would normally be seen with these attacks," Mesdaq added.

He noted that Websense detected a music profile with more than 12 million page views. More than 435,000 friends were using this hack to link to a site that redirected them several times until they finally arrive at a MySpace phishing site.

The Websense researcher explained that the first redirect, a JavaScript redirect with a basic message on the page, redirects the user to "thanks.php" on the same domain. A second redirect takes the user to a page hosted on a different domain that has been created to resemble a MySpace URL.

The technique also makes use of viral marketing techniques to encourage users to copy and paste a snippet of code into their own profiles. This should give users updates to the site they're linking to, "but in fact this code snippet is just spreading the same link to the MySpace phishing site," Mesdaq noted.

Websense said it has monitored an infected user profile and noted that the link to the phishing site has been updated. This occurred "presumably because the phishing site has been shut down."

"This seems to be a trend, where users are attempting to find a work-around so their links are not filtered by Web 2.0 sites," Chenette said. "We have contacted MySpace to let them know this is occurring."

He added that one of the realities of the nature of this type of attack, is that the profile pages actually change on a daily basis. Because of the dynamic nature of Web 2.0 sites, he added, the attackers put up and take down individual pages on a continual basis.

“Individuals who try to phish our members are violating the law and are not welcome on MySpace,” a spokesman told “We are actively working to block and remove the source of this phishing attempt and have proactively put in place several features to help protect our users from being phished.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.