At the end of April, 2007, MySpace.com started 302 redirecting all links that were posted in comments on Myspace through a Web site at msplinks.com. I recently noticed a phishing attack on MySpace that easily bypassed the 302 redirects and linked directly to the target site.
I let MySpace know about the phishing incident, but I only received an automated reply thanking me for my warning:
We have received and reviewed your report of inappropriate content. This content has been removed.
We thank you for your support in helping to keep MySpace a safe and fun community!
I don’t think that MySpace really looked at the issue because the problem is still there. I did a little more investigating and this is how the attack is performed.
The attacker starts by getting someone’s password and then logs into the first victim’s MySpace account. Getting the first password is easy, as explained below.
Then the attacker posts comments in the profiles of the victim’s friends. Here is an example post—the profile image has been blocked out to protect the victim’s identity:
This image has a direct outbound link to the following URL, which looks like a MySpace video site until you look at the Chinese domain name at the end of the URL:
There is no 302 redirect through msplinks.com in that comment link. The average user would not read the entire URL, or even understand what it means if they actually did read it.
Visiting that link takes you to the following page, which is a fake MySpace login page that presumably steals your password.
Once your password is stolen, the attacker can login to your account and repeat the process. This attack is effective because the phishing page is sent to the victims by their friends.
The attacker then starts sending spam to victims’ friends from the victims’ accounts. I assume that leads to a higher conversion rate for their ringtones, porn, and free gift cards like this spam the attacker sent me from one of my friends’ accounts:
Here is a comment on a MySpace profile that has a direct link to http://macyscashkardz.com/ without a 302 redirect through msplinks.com:
Here is another comment that has a direct link to http://www.shopfreeatmacys.com/ without a 302 redirect through msplinks.com:
I’m not going to publish the code I saw that bypasses the 302 redirects through msplinks.com, but variations can be found online.
The redirect through msplinks.com is dangerous because it masks the destination of the links. Even without the msplinks.com redirect this phishing attack shows that MySpace is still a very dangerous Web site, especially for the less computer-savvy.
Hopefully someone from MySpace will read this and fix the problem (if there is any fix for a site as chaotic as MySpace.com).
UPDATE: I just saw that MySpace itself is running these “Macy’s Gift Card” ads also. Here is a screenshot of the official MySpace version: