Monday, March 5, 2007

Hijacked Myspace page could mean trouble for everyone

Tech Expert Bonus Post

It might not be a jumbo jet, but a hijacked Myspace page can open the door to many problems -- identity theft, stolen data, or an inbox full of spam. It can affect not only the owner of the hijacked Myspace page -- but anyone who visits the page.

Since I get asked this question quite a bit -- I figured I'd post (if anything so I can point users here rather than re-typing the story... lazy? yup!).

Background
Typically the Myspace hijack is introduced when a page owner decides to pimp their profile out with one of the many available "free layouts" abundant on the web. Installing this code on your page can introduce a trojan-like code that will result in those visiting the site in being phished of their myspace login. Here's how...

Threat Details
While browsing Myspace (or a similar site), an unsuspecting user / victim clicks a link appearing to be from a myspace "friend" (often this link is to "Send Message" or "Add as a Friend". (See screenshot with this post, personal information hidden to protect the innocent.) The link you click then prompts you with a "you must be logged in to do that" page... and without too much thought... ("oh, myspace must've logged me out or something, right?")... . and without checking the URL (i.e. look for "login.myspace.com"), you've actually provided your myspace login information to the bad guys (who then cleverly re-direct you to the content you originally requested / your myspace home / someplace else that seems logical and doesn't raise your suspicion). The bad guys can now post bulletins / messages as YOU and spread the illegitimate login link to other victims...but wait, there's more...

Now where this gets *really* bad is when you've used the same password in myspace as you have for your email account.

Let's say your Myspace login is your email address (myspace@yourdomain.com) and a password (hijackvictim). If you, like many other users, have set your myspace password to be the same as your email password... I (representing evil-doers everywhere) can now log into your email account. Muhahaha....

And, as I'm sure you know, once I've got access to your email address... I can use the "forgot my password' link for a variety of sites -- obtaining access to bank accounts, ebay, etc. etc... (Click this link [mp3] for my 12 Feb 2007 report for Newsradio 750 KXL on identity theft.

Recommendation
My suggestion: Change your myspace password immediately to something VERY DIFFERENT from anything else associated with that email address. Change every other login that uses the same password to something new and unique to your myspace account -- do it now.

While not foolproof, some users pick a default password ("D0n't@sk!" and change it for every site... slighty... say, "D0n't@sk!a" for myspace.com since "A" is the first vowel... something you can remember, but that keeps your passwords unique... it's a start. (For more on good password techniques, listen to my report from 19 Feb 2007 here [mp3])


Quick Tips:
  1. Change your myspace password to something unique (even if you don't think you've been hijacked, change it now!)
  2. Don't use the same password for myspace as you do email, bank accounts, etc. (this is good advice in general, but especially for sites like myspace)
  3. If in doubt, follow these steps: Open a new browser window to the site you're trying to view.
  4. Just because it *looks like* Myspace (or your bank's site, etc.) -- doesn't mean it is!
  5. Avoid clicking links in emails or online messages from strangers (and even then, do so with caution!)


For more on this story, visit: