Phishing website collected 57,000 logins from MySpace users
Around 57,000 sets of login data for the social networking website MySpace.com are stored in a publicly accessible phishing file from a faked website. A large number of MySpace users have clearly been caught out by an imitation website which looked like MySpace.com - the link to the site was sent via phishing e-mails. Many of the victims are clearly not using anti-phishing toolbars - the anti-phishing systems in Firefox 2 and Internet Explorer 7 and the Netcraft toolbar all recognised the website as faked. The website has since been removed from the web.
On being made aware of the data by a posting on the security mailing list Full Disclosure, security specialists took the opportunity to analyse the passwords. Brian Krebs of the Washington Post has produced a list of the top 20 most popular passwords:
(* indicates letters censored by Krebs)
Some of the user names and passwords suggest that visitors to the faked site were well aware of where they had ended up:
youmustbecompleteretards at idiot.com:doyouhonestlythinkiwillputmyrealpasswordhere
According to Krebs just 37,621 of the 57,406 data records contained unique passwords. Nonetheless, almost 13,000 passwords were at least 8 characters long, and almost the same number were nine characters in length. 47,854 of the passwords even contained at least one number. According to Krebs, the results confirm an analysis undertaken by Bruce Schneier, following the MySpace-Worm attack which stole 34,000 sets of login data from users.
It remains unclear what the phishers intended to do with so many MySpace accounts and e-mail addresses. Krebs expects them to be used to distribute spam. In addition, because users often use the same passwords for various services, the fraudsters could try to gain access to other accounts, such as eBay, Amazon, PayPal or Skype.
- Note to MySpace Users: Get Better Passwords, blog entry from Brian Krebs
- Grab a myspace credential, posting on Full Disclosure