Monday, May 05, 2008

MySpace Hosting MySpace Phishing Profiles

The ongoing arms race between phishers and social networking sites, is a great example of how malicious parties continue to be a step ahead of the reactive response of those and many other web properties. The majority of phishing emails usually take advantage of typosquatting, or sub-domaining to the point where the URL is perfectly mimicking the only property's web application structure. There are however, these exceptions adapting to current security practices in place, and abusing them.

The large scale myspace phishing attack that I assessed in November, 2007, was particularly interesting to discuss because of its internal spamming structure - a social networking account that's already been phished is used to disseminate the phishing urls to all of its friends, collecting accounting data and serving malware.

The phishing tactic that I'll assess in this post, demonstrates the adaptability of phishers whose efforts to adapt to MySpace's current security practices in place, have greatly improved their chances for tricking a large number of visitors. How come? They are not using the natural as usual, but are actually using authentic MySpace phishing profiles, hosted at

Key summary points :

- phishers are generating phishing profiles making it look like the visitor hasn't authenticated herself to view a profile, and pushing the fake login form in front of the fake profile
- the phishing profiles are hosted at
- ignoring the profile's original layout, the fake login windows is pushed upon visiting a phishing profile in front of the profile
- from a social engineering perspective, given that the "action" is happening at, from spamming the phishing profile, to more users getting tricked given its not a secondary domain, that's an example of social engineering going beyond the average typosquatting
- upon logging in reasonably thinking the user is at, the accounting data is forwarded to a phishing host located on a free web space provider

Let's demonstrate the technique by assessing a currently active phishing profile - which you can also see in the screenshot above. Once the accounting data gets submitted to the profile hosted at, it redirects the output to, where a Google Analytics with id "UA-3234554-2" collects metrics for the campaign, then its forwards to MySpace's main page.

A phishing campaign that's spamming millions of users with wouldn't really last online long enough for someone to fall victim into the scam. But when phishers shift the tactic from phishing pages relying on typo/cybersquatting to phishing profiles and start spamming with, success rate is prone to sky rocket.

Related posts:
Phishing Metamorphosis in 2007 - Trends and Developments
Web Site Defacement Groups Going Phishing
Phishing Tactics Evolving
Phishing Emails Generating Botnet Scaling
Phishers, Spammers, and Malware Authors Clearly Consolidating
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing