MySpace is known for it’s ability to let it’s users edit their profiles to look how they want with CSS and HTML. Today I walked right into a phishing attack and if I didn’t get looped on the login and actually think to check the source my MySpace would be open to a phishing attack.
The way it works is a phisher changes someones profile to look like a Myspace login page. From here your email address is already filled in on the email box which will be got from the cookie MySpace saves if you ask it to remember you. As the cookie is designed to work on the MySpace website it allows this information to be passed into this input field. You then enter your password into what looks like a 100% authentic MySpace login page with a MySpace URL.
When you submit your login it diverts to a PHP script hosted on another website which then relocates you back to the login page again. When I did this the first 3 times I just thought MySpace was just doing it’s usual and not working. But I then thought it was a little fishy and viewed the source.
Heres where I found the flaws the images are hosted on ImageShack and PhotoBucket and I then found the action for the login form which was a website which is nothing to do with MySpace. From here I went into my account settings and changed my password and hopefully won’t get stung.
This is a new level of phishing it even caught me out. We can’t even trust our friends with the way the internet is today.