I’ve come across a rather interesting MySpace phishing technique. Hijacked profiles will send you a link or post a link on your wall telling you to go look at some user’s profile (it’ll usually be done by a friend of your’s). For example, they may say Joe is dead and display the following link to his profile:
http://profile.myspace.com/index.cfmfuseaction=user.viewprofile= 1890000
However, when you click the link, you’ll really be taken to a website like the following:
http://profile.myspace.com.fuseaction.id.user.viewprofile. 1890000.cn/
Notice the “.cn” extension. That site ain’t MySpace. If you follow the above link you’ll see that it takes you to a site that looks just like the MySpace homepage, and it’ll be asking you to log in – even though you should already be logged in. MySpace is kind of crappy in that you have to log in to see certain things, and sometimes you get logged out for various reasons, so most users will gladly re-enter their information.
After you’ve given this phishing site your log in info, it’ll save it and then use it to re-log you in to the real MySpace web site. So you’ll end up back at MySpace, but that interesting thing you were told about isn’t anywhere to be found. I’d assume most users would just shrug this off and move on – totally unaware that they’ve just given their log in information to a phisher/spammer/identity theif/whatever.
This really isn’t anything new, phishing has been around a long time. However, it actually works really well in this scenario, since MySpace used to take you to it’s home page after asking you to log in (even if you just wanted to look at someone’s pictures), and you were sent the link by one of your friends (not by some random dude you know is probably a phisher), so the environment leads to it being a pretty transparent attack. Anyway, it’s important to keep a look out for these kinds of things. A couple of my friends have had their accounts hijacked recently and they weren’t sure how it happened (I haven’t mentioned the above scenario since I just witnessed it recently). You don’t want to get your account or any accounts that may use the same password deleted because some jackass stole your log in info and then spammed a bunch of people.
ahahaha this is cool social engineering…
I think many people click on it, poor girl RIP (girl?) 😀
It’s certainly clever, and I’m sure a lot of people are following for it and don’t even realize it.
And yes, I saw this scam in a girl’s profile. Though the other two friends that have had problems were both guys.
I guessed you missed the story about the 70,000+ MySpace accounts hijacked within the last two months ;). But yeah, at one point that site also contained a Trojan Dropper on it. Most people only give the URL a quick glance before deciding it’s trustworthy.
Wow, I can’t believe I missed that story! I usually read reddit every day too. I guess this one just slipped by me.
I can’t believe they pulled that off, and I can’t believe the story didn’t make a bigger wave. Stealing 70k passwords, that’s pretty crazy.
4chan is a weird site, I’m not really sure I understand its popularity or how it’s associated with hacking. Every time I visit it seems like it’s just people posting up weird images and making comments about them. Though when I watch videos about the site, they always talk about “Anonymous” and all the hacking that goes on. It almost seems like I’m going to the wrong site (4chan.org -> the random section?).
An even more dangerous thing that has been occuring is when you get an email claiming to be from Paypal. If you click the link the site looks just like Paypals. And of course you enter in your login and password and they now have access to your pay pal account. I got an email from these guys and quickly thought it was a scam. Like the myspace thing only if you pay attention to the url ( which most people won’t) will you notice.
hey Imran,
Good to hear from you! Hope everything has been going well. I bumped into Harsh at the Columbia mall a while back, he didn’t seem that amused to see me. I guess he’s still bitter about his falling out with Kevin (I tried to stay out of it but I guess he associates me with Kevin).
Anyway, yeah, a Paypal scam is much more harmful. People usually try to steal myspace accounts just for the “lulz”, but if someone gets your Paypal info they can do some real damage. It’s also a much more dangerous scam for the scammer. You can get some real jail time for trying to pull something like that, whereas I can’t see much jail time happening to someone if they steal some myspace passwords.