Reports today indicate that a MySpace user was e-mailing potential victims inviting them to visit a fraudulent log-in page, where they were asked to enter their e-mail address and password. That information was then sent to a server located in France, according to Netcraft, a Web analysis firm that reported the problem.
The attack, which was shut down by MySpace around 10 a.m. Pacific this morning took advantage of the way MySpace organizes URLs in order to give the fake log-in page a believable Web address, something that could confuse even security-conscious users, according to Netcraft analyst Rich Miller.
Fake Login Page
The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service.
Users visitng the page would see a legitimate MySpace URL but would not necessarily realize that it was, in fact, a MySpace user page that had been configured to trick them into entering their passwords and e-mail addresses.
This type of attack is not unprecedented, but it does show, "one more interesting way that phishers are trying to trick people out of their account details," Miller said.
Typically, sites like MySpace have a database of user names that are off-limits, in order to prevent this type of attack, Miller said. "What this kind of attack suggests is that sites have to expand that list."
MySpace is owned by News Corp. A News Corp. spokeswoman said that users who are unsure about whether they're at the right log-in page should go to the main address.