Paid Advertising
web application security lab

MySpace Anti-Phishing Techniques Need Work

I was anonymously sent this link to an article talking about MySpace phishing attacks. The article talks about the newest phishing scam, which essentially just puts username and password fields on user’s profiles, asking for their information. Same old attack, just another day. But this is the part of the article that is actually noteworthy. The MySpace CSO, Hemanshu Nigam, suggests the following will help you from phishing attacks on their site:

But MySpace’s Nigam offers this advice to prevent phishing scams as well:

* Install the latest operating system and auto-install for critical updates.

* Use a firewall.

* Use anti-virus and anti-spyware software and keep them updated.

Does anyone else see a problem with this? Absolutely none of these will protect you from MySpace phishing attacks. So the CSO of MySpace either doesn’t understand the problem he faces, or he has no idea how to help consumers solve that problem. Either way, it’s scary. There are possible solutions to the problem in the browsers, but those are a long ways off. I’ll be talking about a number of them this week at the World OWASP/WASC conference in San Jose. In the mean-time, ignore the CSO of MySpace’s advice. His advice may help you solve other security issues, but not MySpace phishing attacks, unfortunately.

14 Responses to “MySpace Anti-Phishing Techniques Need Work”

  1. kuza55 Says:

    While your comments about MySpace’s CSO are spot on, I think your misinterpreted the article a bit -> the forms aren’t on MySpace, they are on another site. I say this because while its not completely clear from the article, but last time I looked at what MySpace was doing (like 6 months ago) they were stripping input=”password” (and all variations of that that I could come up with) due to the automatic form filling issues.

    I checked just now, and they’re still stripping it, so its probably off-site.

    Which would actually reinforce your comments about MySpace’s CSO since he could have said something as simple as make sure you are on myspace before entering your details.

    On a somewhat related note, I think the practice of embeding login forms directly on the page if a user isn’t logged in should be stopped, since its much easier to trick users who aren’t used to having a single login page with a very simple and memorable URL (e.g., since seeing a login form on an different URL would not raise their suspicions (or maybe it wouldn’t either way, who knows, but its definitely easier to determine IMO).

  2. RSnake Says:

    Hm, I didn’t read it that way, but now that I re-read it I can see why you’d say that, however, at least in some way it did originate on MySpace. If the user is taken off of MySpace, there is some small possibility the IE and Firefox anti-phishing filters can catch them, but really, that’s not the right protection to rely on, except in last resorts scenarios.

  3. kuza55 Says:

    Yeah, it does originate on MySpace, but other than telling users to check the URL, I’m not quite sure what we can tell users (that is actually feasible for most users to do), since there’s really no other mechanism we provide for authenticating login forms.

    Hmmm, just throwing an idea out there, but how about having sites sign the pages which they have login forms on, and then have the browsers check the signature, and integrate it with the browser’s password manager so that it doesn’t fill in forms which aren’t signed? Would that be overkill? Would it even be effective considering that users can still fill in their own credentials into a phishing page assuming their browser just isn’t working?

    Maybe we need to simply not give users their own credentials, and store them in an extension or something instead so that they can’t give them away?

  4. ciri Says:

    Funny that you mention it, I just received a phishing attempt. I’ll leave it there for a second: (check the latest post). I almost fell for that one myself btw.

    Maybe myspace could just ban any link referring to a domain with the term ‘myspace’ before it’s tld. Makes it a bit easier for the user to discover the phising attempt. I don’t really see a real solution vs phishing attempts except for good old user awareness.

  5. Charafantah Says:

    most of the users on a site like MySpace have security last thing in mind. i think MySpace CSO is trying another “we are safe, we have a firewall”

    But user education on this topic is difficult, and the majority of implementations that try to prevent that will directly affect the usability, which is something social networking sites wouldn’t like.

    I think browsers antiphishing, and kind of help on the site for the user to make sure he is ACTUALLY on the site he needs to login to, notifying the user not to RE-use the password while creating an account, and defining the ways of communication and password handling between the user and the site, would help a lot reducing phishing incidents (though not completely blocking it)

  6. Apnovi Says:

    I have always thought a browser should never automatically fill forms or submit credentials it`s a terrible idea. Opera luckily has to be told submit your username and password.

    Mostly the problem with phishing comes down to the lack of understanding and education of users. Basically users need to get away from the mentality of filling in every form that asks them for a username and password. Unfortuantly this seems hard for them to grasp!

  7. Awesome AnDrEw Says:

    You are correct, rsnake. Either Mr. Nigam doesn’t understand how to solve these issues, or he’s attempting to save face in the eyes of those who may actually use MySpace and their affiliated services. The real issue is how easily those MySpace links are formatted (if I remember correctly it’s simply “01″ and then the URL encoded with Base64), the fact that MySpace allows users to post things such as DIV layers in comments, and that people do not seem to realize “*” is not an official MySpace link.
    Being that my girlfriend does indeed use their services, and knows what to look out for I asked her to send me the link to the latest phishing scam. It was hosted on a Chinese webserver, was simply a copy of the login page from MySpace with the “You must be logged in to do that!” message, logged the user-input to some type of flatfile, and then echoed it out into a form that was then submitted with Javascript to log the user into their actual account. It also attempted to load a number of Trojan droppers onto my computer, which also seems to get a lot of users who haven’t the slightest clue as to what the files appearing (if any) are.
    Considering the fact that a certain group (;)) of individuals managed to phish over 70,000 legitimate MySpace accounts (which lead to a very large compromise of PayPal, Gmail, Yahoo, and other accounts) in a very short period, and an insider claimed that there was supposed to be a global password reset several weeks ago you would think they’d straighten their services up.

  8. call to islam Says:

    I think they has no idea how to help consumers solve that problem.

    Nice post ;)

  9. RSnake Says:

    From anonymous:

    And his qualifications for this position?

    Trial attorney.

  10. Ix Says:

    Not one who uses MySpace, but do they at least use some secure login method? Or is it just a plain html form anyone can copy without tipping off the end users who are at least security minded enough to look for the https in the URL or the lock at the bottom of their browser?

    It should at least be a bit harder to set up a phish scam with signed login pages and a user base that’s been educated to look for https or the lock.

  11. hackathology Says:

    I can’t believe a CSO giving such solutions. How did he become a CSO????? I always have doubts on higher management level people, how did they climb so high up the ladder and their knowledge is just so-so?????

  12. John Says:

    Well…being a MySpace user for about a year or so, I searched for ways to keep from being phished (I only was phished once, thus I only had to change my password once).

    My advice: Check any friend requests you get. If, when you roll over the profiles you find anything suspicious, check the status bar. Most of the requests I get; I check the profiles and then check the status bar. If it’s anything other than what I’d find on a normal MySpace profile, I deny that person. (Most Music profiles are legit, that’s for sure)

    And…I also delete any profiles/comments containing webcam links/videos.

  13. bored at school Says:

    I can proudly say I’ve never been phished even though I’ve encountered 100’s of attempts. Common sense is my best weapon, but #2 is the fact that I quit going to the site.

    Really when are people going to get over this? It has ruined lives…. Multiple lives…. Multiple Families. Nothing good can come out of myspace on the users end. (Webmaster’s perspective is quite different)

  14. metacym Says:

    I have been a myspace user since 2005. mostly for
    the forums, which breeds a phishing culture of it’s own.

    I have been subjected to plenty of phish-attempts, and have not ever fell victim to one. Upon finding one, i immediately turn them in to the myspace admin, although i have never once heard back from them. I assume they cant really combat the problem other than deleting individual accounts.
    What could possibly be done to scam-artists residing in China?!
    …doubtfully anything.
    I have been witness to a full lawsuit being sent to Cincinatti-Bell communications, in regards to an ongoing stalker in the myspace forums who would ICMP-flood the forums with gore/gay/scat porn. Stalking individual users,
    constant trolling, personal threats, Profile-hijacking, etc.

    Not suprisingly, nothing ever happened from that.
    not from Myspace, not from C/Bell. nothing.

    I believe as long as there are average social networking-site users, phishing-scammers will just coexist with them.

    However, I have wondered how the current breed of phishing scammers
    manage to keep the same-old attacks going, amongst
    anti-javascript filters.