Note to MySpace Users: Get Better Passwords
An active scam Web site designed to look like the login page for social-networking site MySpace.com appears to have stolen user names and passwords from nearly 60,000 people, according to data in a file that was linked to today from a popular security mailing list.
The phishing site, which is most likely being advertised via blasts of junk e-mail, looks identical to the real MySpace.com login page. A separate text file located on the scam site's Web server includes page after page of user names (in this case, e-mail addresses) and passwords, offering a rare insight into just how successful phishing scams can be for fraudsters.
Granted, some of the "phished" user names and passwords show that a few would-be victims were wise to the scam, including "email@example.com:yoyoyomomma" and "firstname.lastname@example.org:golayintraffic," and "Screwyouphishers:hahascrewyou," to name some of the more "polite" entries. Still, the entries that are junk or obviously fake are far outnumbered by the login credentials that appear to have come from actual victims.
Finding these kinds of data caches can be quite useful for security research. It's very easy to conduct some analysis of password strength and complexity using some simple Unix command-line tools. For instance, while there are 57,406 sets of account credentials in the entire list at the time of this writing, only 37,621 of them contained unique passwords.
The obvious explanation for that incongruity is the correct one in this case: Many people use the same passwords. The top 20 passwords used by phishing victims in this list are:
(The number in parentheses represents the number of victims who used the listed password.)
It should go without saying that if you recognize your password in any of those listed above, you need to come up with a better one. Anyway, for all the apparent simpleness of the average MySpace phishing victim's passwords, they are -- at least for the most part -- fairly long passwords. Nearly 13,000 of them contained at least eight characters; and 12,762 passwords were nine characters in length. Eighty-three percent or -- 47,854 victims, included at least one number in their password.
These results closely mirror those done in a similar analysis last year by encryption and security expert Bruce Schneier. He based his analysis on a subset of approximately 34,000 MySpace user passwords stolen by the Apple QuickTime/MySpace worm in December (MySpace officials estimate that about 100,000 users may have been affected by that attack in all).
So why would someone bother to steal MySpace user names and passwords? For one, the attackers could simply use the hijacked accounts to blast out spam, as they did with the accounts stolen with the help of last month's MySpace worm.
Also, far too many people use the same password at multiple sites. Chances are very good that for every five individuals who have entered a Hotmail.com address as their Myspace user name in this list, there is one individual who uses the same password for both accounts. That's dangerous because people register all kinds of other services to free e-mail accounts (think Amazon.com, eBay, PayPal, Skype, etc.). Once crooks have access to those e-mail accounts, they can often easily reset the passwords of any e-commerce service that a victim has registered to that address.
It's very likely that most of victims in the MySpace data analyzed above weren't using free anti-phishing tools, or they fell for this scam before those tools had a chance to black list this site as scammy. When I checked today, Microsoft's Internet Explorer 7 and Mozilla's Firefox browsers flagged the bogus Myspace login page as a phishing site, as did Netcraft's anti-phishing toolbar.
January 15, 2007; 12:45 PM ET
Categories: From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: New E-Commerce Identity Tag Makes Online Debut
Next: Do Away With HTML Based E-mail
The comments to this entry are closed.