Security Strategy, Plan, Budget

MySpace target of hybrid phishing scheme

Users of the immensely popular social networking website are being targeted in a new "hybrid" phishing scheme aimed at stealing their identity, one security firm warned today.

Researchers at the Maitland, Fla.,-based Aluria Software said today that scammers are posting malicious links on MySpace, which is among the top five most visited websites, according to traffic-ranker Alexa.

"When you're dealing with an entity that large, people with malicious intent come and try to exploit that technology," said Hiep Dang, Aluria's director of threat research and engineering. "It's just like email."

Users who double-click on the links – located on some of the profile pages of MySpace's more than 50 million members – are sent to a bogus site that resembles the real thing, Dang said.

The MySpace member then is prompted to re-enter login account information, then captured by the attackers, Dang said. The hope is their MySpace username and password is the same information they use to access sites where online transactions are made.

The fraudsters combine some other malware, such as a trojan or keylogger, to determine where else on the internet the user might enlist that same login information, Dang said.

"They could potentially use it in their bank account," he said.

A spokesperson from MySpace did not return telephone calls seeking comment.

The attack purposely targets an attractive demographic – young people with money to spend, said Sam Curry, vice president of CA security management.

"There's value to being able to influence a community and being able to tap into it," he said today. "People are not in immediate danger, but they shouldn't click things and assume they are safe."

The phishing scheme also is troubling because many employees use social networking sites while at work, potentially opening the door for their company's networks to be compromised, Dang said.

He said that after clicking on an unknown link, users should observe the address bar to ensure they are at a legitimate site. Also, they should report any phishing attempts to the Anti-Phishing Working Group, of which Aluria is a member.

Google recently named MySpace, with 47.3 million visitors at the end of last year, the top gainer for 2005. Launched in January 2004, MySpace was purchased by Rupert Murdoch's News Corp. for $580 million last July. Industry analysts say MySpace now is valued much higher.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.