recent posts

Social Networking Accounts Prized By Cybercrooks
RedBox Warns of Credit Card Skimmers
Opera Updates and a Black Tuesday Preview
Beware Targeted Data-Stealing Tax Scam
Consumers Report $239 Million Lost To Cyber Fraud In '07

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Web Worm Whacks MySpace Users

A complex, ongoing attack on MySpace.com users is turning victim's sites and computers into hosts for serving phishing scams and computer viruses.

Earlier this week, some MySpace user pages were seeded with computer code seeking to exploit one of three recently-patched security holes in Microsoft Windows and Internet Explorer. MySpace visitors who browse one of these pages are redirected to a fake MySpace login page aiming to steal the visitor's MySpace user name and password.

A screen shot of an infected MySpace profile. Clicking anywhere on the live version of this page will redirect the visitor to a fake login page and try to seed the visitor's PC with malicious software.

We've seen a similar attack against MySpace, but this new one has a twist. A scam victim's MySpace page is altered to include code redirecting users to a phishing page. Meanwhile, if the user's computer does not have up-to-date Microsoft patches, programs will be silently installed linking the victim's machine into a network of several hundred infected PCs used to host other phishing sites or serve up additional malicious software.

So just how successful is this attack? Ask Lawrence Baldwin, chief forensics officer at MyNetWatchman.com, a company that tracks hacking and spamming activity. Baldwin runs a sizable "honeynet." It's a distributed network of machines designed to be infected with the latest malicious software so that investigators can glean evidence about the activities of the bad guys pulling the strings. Baldwin on Tuesday found that one of the PCs in his honeynet was among some 200 other Windows computers currently serving exploit code and phishing Web sites in this MySpace.com attack.

Baldwin said that about one-quarter of those who visited the MySpace phishing page hosted on that machine provided their credentials. So far, his infected machine has collected hundreds of MySpace user names and passwords, or roughly 10 to 20 sets of credentials every hour.

"That tells me that I'm only seeing 1/200th of the traffic going to the phishing sites in this network," Baldwin said. "If we extrapolate that out, we're talking about 2,000 to 4,000 MySpace account credentials being stolen per hour."

This type of Web 2.0 worm likely will be a favorite method of attack for some time.. MySpace sports one of the biggest collections of some of the least PC-security-savvy people today. In January, I wrote about another MySpace.com attack that exposed tens of thousands of MySpace passwords, many of them extremely easy-to-guess dictionary terms. Baldwin said the passwords his honeynet machine has intercepted are no more complicated.

That behavior suggests that a great many MySpace users don't consider their account worth protecting. This type of attitude is typical of the very people whose computers are most commonly compromised by criminals. The misguided notion that one's computer or MySpace account has no valuable information on it and therefore couldn't possibly be an attractive target for cyber criminals is the principle reason online crooks are so successful.

By Brian Krebs |  June 27, 2007; 1:52 PM ET Fraud , From the Bunker , Latest Warnings , Misc. , Safety Tips
Previous: Social Networking on Internet Scammer Forums | Next: Spammers Duke It Out In Online Turf War

Comments

Please email us to report offensive comments.



Why doesn't Facebook have these same issues?

Posted by: Kevin | June 27, 2007 5:11 PM

This is an excellent article for at least two reasons.

It explains clearly enough HOW a computer can become infected by this exploit - which teaches you something about how to better protect yourself (apply patches immediately, and consider a browser like Firefox with fewer exploits aimed at it).

Secondly, it explains why the attitude of "I have no valuable information so I don't need to care so much about my computer's security" is misguided (you're assisting online criminals to cheat others).

Posted by: T. Ayres | June 27, 2007 5:59 PM

Lots of people have this virus. This is a Security Fix? Hardly. Why don't you tell people how to remove the worm instead of being so condescending.

P.S. This one gets through Firefox.

Posted by: Myspace User | June 27, 2007 7:39 PM

"This one gets through Firefox"

Prove It.

Posted by: T. Ayres | June 27, 2007 8:41 PM

Why is this stuff never surpising? Because as a poster said in the DSL Reports forum, "inherent laziness and sublime ignorance". IMHO, chaulk it up to a massive failure in critical thinking skills.

In the end, you reap what you sow.

Posted by: TJ | June 28, 2007 1:36 AM

BTW, as a previous poster pointed out, this is a valuable article in getting the word out. Unfortunately, the users that should be getting the message probably don't frequent computer security sites and don't follow recommended security practices. Even those of us who try to spread the word incur the "you can lead a horse to water, but can't make em drink".

Again, it all goes back to my previous post.

Posted by: TJ | June 28, 2007 1:43 AM

Use Spy bot-It works
Tkatz

Posted by: Terrance Michalski | June 28, 2007 8:15 AM

Firefox has an addon called noscript. If the exploit is running any kink of script this should stop it dead in it's tracks.

Proof enough?

Posted by: Rodney Wise | June 28, 2007 8:19 AM

Firefox has an addon called noscript. If this exploit is running any script to d/l the bot it should stop it.

Proof enough?

Posted by: Rodney Wise | June 28, 2007 8:21 AM

Firefox has an addon called noscript. If this exploit is running any script to d/l the bot it should stop it.

Proof enough?

Posted by: Rodney Wise | June 28, 2007 8:22 AM

One thing to do if your a IT person is Block MYSPACE from the users at work. this way you don't have to worry about it.

Posted by: Roomeister | June 28, 2007 9:23 AM

I don't think there's anything stopping Facebook from having this issue, especially with users able to create their own apps. myspace probably got hit first because it's more popular

Posted by: Gonzo, MD | June 28, 2007 9:59 AM

Myspace is definitely more popular by orders of magnitude, plus at least people in FaceBook are smart enough to go to or have gone to college, which means they might actually have enough brain matter between their ears to not let their computers fall behind on patches.

Posted by: | June 28, 2007 10:44 AM

Add myspace to your HOSTS file.

Staying away from stupid people is almost as critical as avoiding the usual malicious websites.

Posted by: Ken L | June 28, 2007 5:09 PM

"...if the user's computer does not have up-to-date Microsoft patches, programs will be silently installed...."

Notice that the patches are for the OS and IE. They alone can prevent the code from being installed. It has nothing to do with Firefox. Firefox and other alternative browsers just have far fewer of these types of exploits because, in part, the malware authors aim at the bigger target: IE.

This exploit cannot silently install programs through a Firefox bug onto the victim's PC - if Firefox is fully patched. Geez, it can't even install the malicious code if XP and IE are fully patched.

Posted by: T. Ayres | June 29, 2007 12:09 AM

"principle"? How about "principal"?

Posted by: Pete from Arlington | June 29, 2007 9:49 AM

"chaulk"? How about "chalk".

Posted by: Pete from Arlington | June 29, 2007 9:52 AM

So...now...aside from running spyware/adware system check, is there a way to ascertain, by sight, if such code is on a MySpace page? Lately, I've noticed the MySpace password box being blank, instead of the autofill that usually resides there.

Posted by: Morvis | June 29, 2007 11:51 AM

a similar attac happend to ebay europe two years ago. Users have been linked to a fake ebay login site.

After discovering it I try to get in touch with some executable people at ebay but it was a hard work. If somebody isn´t logged it he couldn´t contact the ISP management.

Finally I´ve found a form to leave a statement but it was weekend! Next week a lawyer called me but he wasn´t interested in details.

How many passwords have been stolen that time? Who knows?

The side was just a simple screenshot from the original. But if somebody has seen the headers adress he would know. It was a very deep link you know?

tagesclaus

Posted by: tagesclaus | July 3, 2007 8:19 AM

"Why doesn't Facebook have these same issues? - Posted by: Kevin"

Apparently, they do, plus more. See:
> http://www.websense.com/securitylabs/blog/blog.php?BlogID=135
July 9 2007

(Screenshots available at the URL above.)

.

Posted by: J. Warren | July 9, 2007 7:56 PM

What's with the gibberish?

Posted by: WTF | July 13, 2007 10:36 AM

The comments to this entry are closed.

 
 

©  The Washington Post Company