Phishers have made a new attempt to use MySpace.com accounts to trick users. British web analysis firm Netcraft has reported that a MySpace user was emailing potential victims inviting them to visit a fraudulent log-in page, where they were asked to enter their email address and password. That information was then sent to a server located in France, according to Netcraft.
The attack, which was quickly shut down by MySpace, took advantage of the way MySpace organises URLs in order to give the fake log-in page a believable web address, something that could confuse even security-conscious users, according to Netcraft analyst Rich Miller.
The attacker had registered a MySpace account named login_home_index_html, meaning that the MySpace page hosting the fake login, looked like a legitimate place where users would sign on to the service: http://myspace.com/login_home_index_html
Users visiting the page would see a legitimate MySpace URL but would not necessarily realise that it was, in fact, a MySpace user page that had been configured to trick them into entering their passwords and e-mail addresses.
This type of attack is not unprecedented, but it does show, "one more interesting way that phishers are trying to trick people out of their account details," Miller said.
Typically, sites like MySpace have a database of user names that are off-limits, in order to prevent this type of attack, Miller said. "What this kind of attack suggests is that sites have to expand that list."
A spokesman for News Corp, the owner of MySpace, said that users who are unsure about whether they're at the right log-in page should go to the main main MySpace address.
This is the second reported attack on MySpace. In June, MySpace thwarted a similar attempt to harvest information from its users.
Original reporting by IDG news service