Phishers have found a way to use genuine MySpace.com accounts to trick users into revealing their account information.
Web analysis firm Netcraft reported on Friday that a MySpace user was emailing potential victims inviting them to visit a fraudulent login page, where they were asked to enter their email address and password. That information was then sent to a server located in France, according to Netcraft.
The attack, which has now been shut down by MySpace, took advantage of the way the site organises URLs in order to give the fake login page a believable web address, something that could confuse even security-conscious users, according to Netcraft analyst Rich Miller.
The attacker had registered a MySpace account named login_home_index_html, meaning that the page hosting the fake login looked like a legitimate place where users would sign on to the service.
Users visiting the http://myspace.com/login_home_index_html page would see a legitimate MySpace URL but would not necessarily realise that it was, in fact, a user page that had been configured to trick them into entering their passwords and email addresses.
This type of attack is not unprecedented, but it does show "one more interesting way that phishers are trying to trick people out of their account details", Miller said.
Typically, social-networking sites have a database of user names that are off-limits, in order to prevent this type of attack, Miller said. "What this kind of attack suggests is that sites have to expand that list," he added.