Phishers have found a way to use genuine MySpace.com accounts to trick users into revealing their account information.
On Friday, web analysis firm Netcraft reported that a MySpace user was emailing potential victims inviting them to visit a fraudulent log-in page, where they were asked to enter their email address and password. That information was then sent to a server located in France, according to Netcraft.
The attack, which was shut down by MySpace around 10am Pacific Time on Friday, took advantage of the way MySpace organises URLs (Uniform Resource Locators) in order to give the fake log-in page a believable address, something that could confuse even security-conscious users, according to Netcraft analyst Rich Miller.
The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service: http://myspace.com/login_home_index_html.
Users visiting the page would see a legitimate MySpace URL but would not necessarily realise that it was, in fact, a MySpace user page that had been configured to trick them into entering their passwords and email addresses.
This type of attack is not unprecedented, but it does show "one more interesting way that phishers are trying to trick people out of their account details," Miller said.
Typically, sites like MySpace have a database of user names that are off-limits, in order to prevent this type of attack, Miller said. "What this kind of attack suggests is that sites have to expand that list."
MySpace is owned by News Corp. A News Corp spokeswoman said that users who are unsure about whether they're at the right log-in page should go to the main http://www.myspace.com address.