In the last 24 hours there has been a sudden surge in the amount of spam being sent and received by MySpace users, suggesting that the site has fallen prey to a security exploit that grants spammers access to accounts. Many users are logging in to find that they’ve commented on their friend’s status updates with spammy messages inviting them to “make $$ this summer”. We’ve reached out to MySpace to ensure that they are aware of the issue.
Some MySpacers are speculating on the site’s forums that the hack is tied to phishing links in status updates, which seems to be in line with the reports we’ve seen of literally hundreds of identical spam status updates to certain band profiles (see the screenshot below).
Update: We’ve learned that this is in fact the case — MySpace users are falling prey to a phishing attack through links in status updates that invite them to renter their login information, which is then used to spam their accounts. MySpace expects to have a fix for this out later today that will remove all of these links.
Phishing attacks are notoriously difficult for social networks to defend against, as they rely on tricking users into handing over their account info rather than breaking through a site’s security measures. Facebook has also been hit by a number of similar attacks.
During our interview with Hacker Croll regarding the recent Twitter break-in, he revealed that there is at least one security hole in MySpace that is well known in the hacker/cracker community that grants access to MySpace accounts. Unfortunately he was unwilling to share the exploit, but we warned MySpace about it late last week. It is unclear if this attack is related. The phishing attack is probably unrelated, which likely means there are still outstanding exploits.
This is only the latest in a long string of recent security attacks against major web services. Last week Twitter fell prey to a massive security breach revealing internal documents, while developer-outsourcing site Elance got hit by a hack as well that compromised some user data.
Thanks to Aaron Parker for the tip.
There was alot of spam on a few of our MySpace pages from crap like this
I think MySpace is probably the easiest social networking site to hack. It happened to me twice already. I deleted my profile and now I don’t use it anymore. I don’t know what’s going on with MySpace lately. Its just going downhill. Their security sucks, Facebook already overtook them, they fired their employees.
My Conclusion – MySpace is a sinking ship.
dude, you didn’t get hacked, you got phished – learn to pay attention.
Either way I like many others got screwed at MySpace. Whether it was being hacked or being phished. Bottom line is MySpace sucks and its doomed to fail unless it gets its shit together on time. You should pay attention too because I am not a dude.
i like your reply
Thanks sachabadshah.
Sure, but by not acknowledging the fundamental difference between hacking/cracking and phishing, you are leaving yourself open to it happening again outside of MySpace. I’m not trying to be a jerk, but you are the security hole here and you screwed yourself. There is nothing MySpace can do to prevent you from giving your password away.
All of the social network sites’ user accounts are getting hacked and phished. This isn’t a problem exclusive to MySpace; it’s a general security issue across the board. But at the end of the day, EH is right…in this particular instance, you created the security nightmare for yourself.
TO EH & Dave, if MySpace fails to secure the data of its users then its completely MySpace’s fault. You two guys work for MySpace or something? I just closed my account. End of story. No account no risk.
Janet, MySpace does all that it can to keep its users from falling prey to this type of scheme. Ultimately, it was you that put your password into the wrong site, and the simple fact is that all major web services are susceptible to this type of social engineering attack. The onus is upon you to keep your data protected, it was not a native hack on MySpace’s system.
no, i don’t work for myspace and i think it’s awesome that you deleted your account. however, you still have other passwords that are in danger of being revealed if the wrong person/site gains your confidence.
For your info Shane, I have a lot of profiles on different social media networks but I never had such problem because they do a better job in protecting their users than MySpace. Facebook is way better than MySpace when it comes to security. Facebook won’t even let you add more than a certain amount of people as friends to stop spam. While in comparison, MySpace doesn’t do shit for the safety of its users. There are so many people who have fake profiles linked to porn sites with webcam girls saying Click Here to chat with me live, watch me strip for you, blah blah… and they haven’t done anything about it. Most people have so much shit on their profile like millions of pictures, ghetto ass songs, ugly backgrounds etc that it doesn’t even load at times. Good riddance, MySpace. Good Bye for Good. I’m Happy I got rid of you and I’m never ever coming back.
next up is Twitter Spam,
did you see the latest ‘Retweet” button on each of the post?
retweet is another digg in disquise.
Proposed Retween/digg tagline: “Tweet it for the very first time again.”
EH great tagline!
Spam on myspace?
Nothing new.
Which is pretty pathetic on MySpace’s part.
Facebook as barely any spam, as far as I’ve seen.
True, which is the reason most members moved away from MySpace!
If you don’t count all the lame and extremely irritating invitations/quizzes/apps/pokes/etc. you get on FB, then yeah less spam. However, one thing that TC and so many forget is MySpace was responsible for helping the FBI apprehend the top two spammers in the world who were generating almost all the spam people were receiving. My inbox on MySpace has seen about a 95% decrease in message spam since.
Yikes. It’s time for the industry to get their security act together.
On a related note I think TC should run an “in the know” feature called Hacker Confidential. I miss the Twitter Confidential posts
.
what is this industry that is going to protect people from social engineering?
aww how cute techcrunch is posting info on 0day’s
“$$” seems php-like…just sayin
i think that this has BEEN happening and i think that is why so many people are fed up with myspace. i know i was and i deleted my account, or at least i think i did…
Great TC, you guys are doing best warning users about the threats they may face (Previously twitter mania and now myspace)
I knew there was a new hack in MySpace with the spam status comments I got over there. Just Another reason why MySpace users are cheatin on them with Facebook.
I heard about this when my friend told me about it. Bloody shame it is.
BTW – Did you know that Runescape got hacked as well. I know it is unrelated but when I was talking with a few of my friends who are runescape Finatics, I was informed about how recent it was.
(Hackers are getting better!)
> Hackers are getting better!
Or security is getting worse.
I had a client today ask me to create an email account for him, asking his password to be his last name. Come on…
“when I was talking with a few of my friends who are runescape Fanatics”…….
I havn’t used Myspace for over a year and only ever log in via the webpage. Which leads me to beleive that this isnt a phishing attack. THe password I use for my myspace account is also unique… I only found out about my acount being hacked after my friends emailed me.
Didn’t MySpace lose their head of security? I thought I had read something about that a month ago.
I blame Don! He used the candlestick and help from the Cook!
insider job !
Give me a break. These people got phished for christ sake. You need half a monkey’s brain to not get phished. They’re probably the same people that sent money to Nigeria.
Internet Explorer, Google Chrome, and all the various home desktop security mechanisms warn you when you’re about to get phished. IE and Chrome just about flag you down telling you to stop because you’re about to get phished! Only Firefox just let’s you right on thru (and they say it’s the most secure browser lmao).
You practically have to suck your food out of a straw to make such a stupid mistake. Think about it they’re logged in and asked to log in again. They’ve been warned that they’re getting phished.
http://www.help.../innegeria.html
Having a myspace with over 15k friends, we can usually see the trend faster then anyone with the messages we get. Sad really because myspace was amazing for local/national acts to get word out about the music.
Get away from the password system and no one will get spammed or phished.
Refer to my comments on the Anatomy of Twitter Attack
It wasn’t a phishing attack, at least not on my account. I haven’t logged into MySpace for weeks. But this morning I got an e-mail from a friend commenting about my Status. I logged in this morning only to find my Status had been changed to some SPAM message. My friends comment about my status was there from 3AM this morning, so that means the status change had taken place before I got into work this morning.
My solution was simple though. I just closed my MySpace account. Problem solved
+1 with what Elroy said
this isn’t a phishing attack. MySpace is just calling in that to place blame on the users.