Our Site Advisor team noticed some active MySpace phish domains this week which lead me to wonder why someone would want to break into a MySpace account? There isn’t really any sensitive information like credit card or bank account details stored in the accounts so what are the phishers phishing for? We found several domains with perfect MySpace front pages designed to trick people into giving away their usernames and passwords like this one:

After a bit of research on the topic I quickly realised that spammers are using the phished details to login to peoples accounts and post spam messages on other people’s accounts. MySpace seems to be aware of the problem described in this blog. This poses a particular headache as MySpace can’t close down legitimate user accounts like they could if the spammer had registered new accounts and started spamming from them.

After a bit more digging around I even found a spammer advertising his services:

Or if you want to do the job yourself he’ll gladly sell you the list of login credentials:

One spammer messed up in January and published a list of 56,000 MySpace usernames and passwords online, not good for business I guess.

Someone also pointed out to me that people tend to use the same password on multiple sites. With lots of information about you from your MySpace page and your password it wouldn’t be hard for the phishers to do something even more sinister with your identity! Having access to your MySpace account would also give a hacker the ability to replace a music file you are sharing with an infected file thus infecting the machines of anybody you share that file with.

The moral of the story is to be careful when logging into any site, not just your bank account!