"On April 19, MySpace updated their server software so that they could disable bad links in users' profiles without requiring any user action or altering any other profile content. Overnight, overall phishing traffic dropped by a factor of five back to the levels observed in early March.
^^^ Couple problems with that bit of info...
1. The solution from MarkMonitor they implemented wasn't retroactive. Only new links posted are being passed through that filter. 2. Said filter has yet to make it to links on actual profile pages. It's just being used in the profile comments section at the moment. 3. This filter has very little to do with the drop in MySpace phishing right now. The captcha added to the profile edit screen has had the biggest effect for sure.
/phishing is still a massively insane problem on there.
Back in early March, I was a victim of one of these phishing attacks on Myspace when I visited the profile of someone on my friends list.
It's incredibly easy to fall victim to this attack. All I did was click the "Home" link on the profile of this person. All of a sudden, I get the Myspace homepage with a login box that appeared legitimate. Unfortunately, it took a few clicks before I realized what happened.
Talk about a pain! Luckily I was able to change my password before any damage was done. The only problem is changing passwords on dozens of sites because you can't tell what was or wasn't compromised.
I have a number of accounts that send passwords in plain text via email. I knew that they could easily get my Gmail address from Myspace. Then using Gmail it would be easy to search these emails out. With a bit of guessing, they might be able to figure out ways to get into more critical accounts.
All it takes is one account and who knows what else it might lead to? How many people use more than one password or pin #?
I think the sophistication of the attack I experienced was only the tip of the ice burg. I can imagine much nastier scenarios taking place. I immediately contacted Myspace... and I'm saddened by their slow response. The particular page that was compromised receives high traffic. I have no idea how other profiles were hijacked as a result of their slow response.
माइस्पेस या ऐसी ही सेवाओं के प्रयोक्ता आमतौर पर साधारण कम्प्यूटर प्रयोक्ता होते हैं जो कि इन गंभीर कम्प्यूटर सुरक्षा कारणों और समस्याओं को न तो जानते हैं और न ही पूरी तरह समझ पाते हैं. फिर उनके पास इनसे लड़ने का कोई जरिया भी नहीं होता.
इस सारे आलेख को पढ़ने के पश्चात् यही बात समझ में आती है कि इंटरनेट अनुप्रयोग सेवा प्रदाताओं को ही ऐसे फिशिंग हमलों से अपने प्रयोक्ताओं को बचाने के लिए पुख्ता उपाय करने होंगे. तभी बात बनेगी.
एक आम उपयोक्ता के लिए सोफ़िस्टिकेटेड फिशरों से लड़ने की बात करना बेमानी ही है!
Here's an except from an announcement Tom posted on MySpace a few minutes ago:
"Tonight we started using msplinks on profiles, just like we've been using them in comments. Whenever you save a url in your myspace page, we convert it to an msplinks url. This allows us to easily and instantly disable links sitewide. If a phishing link gets out into common use, we can turn it of instantly."
P.S. Try to post a link on MySpace to this blog entry for some major LOLz. It's filtered as if it's spam or a spoof login page. I'm sure they'll fix that after reading this though.
Dear G ma il Account Owner, This message is from Gmail messaging center to all Gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused Gmail account to create more space for new accounts.
To prevent your email account from closing you will need to update so as to validate our user email database.
CONFIRM YOUR IDENTITY BELOW
* Gma il! ID : .......... * Password : ........... * Date of Birth : ...... * Country or Territory : ...........
Enter the letter from the Security Image : ........ 859304
Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.
Thank you for using Gmail ! Warning Code:VX2G99AAJ Thanks, The Gmail Team G MAI L BETA
which I'm ignoring but are there any official Google comments?
I've signed up for Gmail since December 25, 2006. (on a different username) But I keep seeing the year 2007 below the Gmail interface. Everybody knows it's year 2008 now. Have I logged on to a fake site? Was I phished or pharmed? Or was my HOSTS file poisoned? What else could have happened to my computer?
Sorry for bothering you, a Computer Internet Newbie
My one problem with this is that I can't track the how much traffic my MySpace profile is bringing to my website. This is for a legitimate corporation and it is important data for myself, and likely many other legitimate businesses to have. How else can we easily understand the affect of our social networking. I am unable to use Google Analytics on the profile because MySpace doesn't allow javascript, and now I can't even use the Google URL Builder to track the link, because it is automatically converted to an msplink. Is there ANY way around this so that I can simply track the traffic moving back and forth through these websites?
Our guess is myspace will come out, eventually, with their own tool allowing companies to do a better job of tracking their individual sites. They will probably work with someone like google or awstats to provide this free of charge.
One easy thing you can do is simply use your myspace page as a landing page. Then have it directly link to your real site. You would then be able to track (on your real site) how many users came from myspace.
In the meantime there are tracking tools available. Just google "myspace tracking hits" to find a few of them.
Every cybercitizen should be responsible and protect their private information. Visit http://www.onlinesecurityauthority.com for the Authority for Online Security for our future.
13 comments :
"On April 19, MySpace updated their server software so that they could disable bad links in users' profiles without requiring any user action or altering any other profile content. Overnight, overall phishing traffic dropped by a factor of five back to the levels observed in early March.
^^^ Couple problems with that bit of info...
1. The solution from MarkMonitor they implemented wasn't retroactive. Only new links posted are being passed through that filter.
2. Said filter has yet to make it to links on actual profile pages. It's just being used in the profile comments section at the moment.
3. This filter has very little to do with the drop in MySpace phishing right now. The captcha added to the profile edit screen has had the biggest effect for sure.
/phishing is still a massively insane problem on there.
Back in early March, I was a victim of one of these phishing attacks on Myspace when I visited the profile of someone on my friends list.
It's incredibly easy to fall victim to this attack. All I did was click the "Home" link on the profile of this person. All of a sudden, I get the Myspace homepage with a login box that appeared legitimate. Unfortunately, it took a few clicks before I realized what happened.
Talk about a pain! Luckily I was able to change my password before any damage was done. The only problem is changing passwords on dozens of sites because you can't tell what was or wasn't compromised.
I have a number of accounts that send passwords in plain text via email. I knew that they could easily get my Gmail address from Myspace. Then using Gmail it would be easy to search these emails out. With a bit of guessing, they might be able to figure out ways to get into more critical accounts.
All it takes is one account and who knows what else it might lead to? How many people use more than one password or pin #?
I think the sophistication of the attack I experienced was only the tip of the ice burg. I can imagine much nastier scenarios taking place. I immediately contacted Myspace... and I'm saddened by their slow response. The particular page that was compromised receives high traffic. I have no idea how other profiles were hijacked as a result of their slow response.
माइस्पेस या ऐसी ही सेवाओं के प्रयोक्ता आमतौर पर साधारण कम्प्यूटर प्रयोक्ता होते हैं जो कि इन गंभीर कम्प्यूटर सुरक्षा कारणों और समस्याओं को न तो जानते हैं और न ही पूरी तरह समझ पाते हैं. फिर उनके पास इनसे लड़ने का कोई जरिया भी नहीं होता.
इस सारे आलेख को पढ़ने के पश्चात् यही बात समझ में आती है कि इंटरनेट अनुप्रयोग सेवा प्रदाताओं को ही ऐसे फिशिंग हमलों से अपने प्रयोक्ताओं को बचाने के लिए पुख्ता उपाय करने होंगे. तभी बात बनेगी.
एक आम उपयोक्ता के लिए सोफ़िस्टिकेटेड फिशरों से लड़ने की बात करना बेमानी ही है!
Just as an update to my previous comment...
Here's an except from an announcement Tom posted on MySpace a few minutes ago:
"Tonight we started using msplinks on profiles, just like we've been using them in comments. Whenever you save a url in your myspace page, we convert it to an msplinks url. This allows us to easily and instantly disable links sitewide. If a phishing link gets out into common use, we can turn it of instantly."
Can I have a cookie now? :P
Another update, this one is from the Whoops Department...
Correction: MarkMonitor is not involved in the MSPLinks service, but is the domain registrar used by MySpace for domains including msplinks.com.
The rest of my comments are factually correct.
P.S. Try to post a link on MySpace to this blog entry for some major LOLz. It's filtered as if it's spam or a spoof login page. I'm sure they'll fix that after reading this though.
/other innocent urls won't be as lucky.
Hi, I just received this very dodgy email:
G MAI L BETA
VERIFY YOUR FREE G MAI L ACCOUNT NOW !!!
Dear G ma il Account Owner,
This message is from Gmail messaging center to all Gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused Gmail account to create more space for new accounts.
To prevent your email account from closing you will need to update so as to validate our user email database.
CONFIRM YOUR IDENTITY BELOW
* Gma il! ID : ..........
*
Password : ...........
*
Date of Birth : ......
*
Country or Territory : ...........
Enter the letter from the Security Image : ........ 859304
Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.
Thank you for using Gmail !
Warning Code:VX2G99AAJ
Thanks,
The Gmail Team
G MAI L BETA
which I'm ignoring but are there any official Google comments?
ADG
To whom it may concern,
Dear Google,
I've signed up for Gmail since December 25, 2006. (on a different username)
But I keep seeing the year 2007 below the Gmail interface.
Everybody knows it's year 2008 now.
Have I logged on to a fake site?
Was I phished or pharmed?
Or was my HOSTS file poisoned?
What else could have happened to my computer?
Sorry for bothering you,
a Computer Internet Newbie
Hey all,
My one problem with this is that I can't track the how much traffic my MySpace profile is bringing to my website. This is for a legitimate corporation and it is important data for myself, and likely many other legitimate businesses to have. How else can we easily understand the affect of our social networking. I am unable to use Google Analytics on the profile because MySpace doesn't allow javascript, and now I can't even use the Google URL Builder to track the link, because it is automatically converted to an msplink. Is there ANY way around this so that I can simply track the traffic moving back and forth through these websites?
Our guess is myspace will come out, eventually, with their own tool allowing companies to do a better job of tracking their individual sites. They will probably work with someone like google or awstats to provide this free of charge.
One easy thing you can do is simply use your myspace page as a landing page. Then have it directly link to your real site. You would then be able to track (on your real site) how many users came from myspace.
In the meantime there are tracking tools available. Just google "myspace tracking hits" to find a few of them.
www.mbridge.com
http://www.mbridge.com
Every cybercitizen should be responsible and protect their private information. Visit http://www.onlinesecurityauthority.com for the Authority for Online Security for our future.
Post a Comment