A fairly imaginative phishing attack was live on the MySpace.com site for a few hours on the morning of Friday, October 27, 2006. The attack was interesting not so much because of its technical prowess, but because the attackers were so creative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.
The attackers were able to create a login page located at http://www.myspace.com/login_home_index_html, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.
How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple and yet clever. Like millions before them, they just went to MySpace.com and registered an account. When asked what user ID to pick for their account, they simply gave “login_home_index_html” as the login name to use. Now, the page hosted at "http://www.myspace.com/login_home_index_html" automatically became their login page.
I’ve spent a considerable amount of time studying phishing attacks and there are a few which really stand out. This attack is one of them. What makes this attack so remarkable was that the attackers did not have to be familiar with the bevy of tricks one might use to make a site look believable. They didn’t exploit a browser vulnerability, they didn’t hack into a Web server to host the page, and they didn’t compromise the domain name system (DNS). They just exercised their imagination and came up with a very simple phishing site that does the trick. Einstein was definitely on to something when he said “Imagination is more important than knowledge.”
To MySpace’s credit, the site did get taken down within hours after it was first reported. This attack differs somewhat from your typical phishing attack. Here, phishers were hosting a legitimately created page claiming to be a MySpace login page on the MySpace site itself. They could instantly take advantage of the fact that the MySpace name would be displayed prominently on the browser’s address bar. That alone would make the site seem that much more believable. The phishers did not have to go out of their way to achieve the right look and feel – that was just there by default.
MySpace and a number of similar sites rely on their users to provide content. One lesson to be learned is that any user-defined input a site employs has to be appropriately vetted. This vetting especially applies to content that will get reflected back to users somehow. This kind of idea is often seen in cross-site scripting attacks (which I blogged about in the past).
One question to consider is, why someone would be interested in gathering the usernames and passwords of MySpace users? There are a couple of reasons. First, some users who surf on MySpace are more likely to let their guard down when looking at their friends’ pages. Consequently, a compromised MySpace page could succesfully lead an unsuspecting victim to malicious software like a keystroke logger. Second, users may use the same login ID and password for multiple accounts. Therefore, if an attacker has a user’s MySpace credentials, he or she may be able to use them in other places, like banks or credit card sites.
Overall, this phishing attack caught my attention not because of its technical sophistication, but because the attackers were imaginative. Just as attackers are getting more creative in designing their sites, we must also get more creative in how we detect and defend against them.
A Washington Post article that articulates why phishers are interested in social networking sites like MySpace: http://www.washingtonpost.com/wp-dyn/content/article/2006/07/15/AR2006071500119.html
A previous blog I wrote on phishing and cross-site scripting: http://www.symantec.com/enterprise/security_response/weblog/2006/07/phishing_and_crosssite_scripti.html