Blog

Websense Security Labs^TM has been tracking a technique that allows for easier social engineering on MySpace. The technique involves the creation of malformed anchor tags with style attributes that cover most of the clickable page with whatever link an attacker wants. Use of this technique has been detected in MySpace phishing sites, adult dating spam, and other questionable content. The malformed anchor tags seem to get past MySpace's parsing, which usually converts links to a specific redirect format off of the msplinks.com domain.

Anchor Tag Source:


This technique makes it easier for malicious users to steer profile visitors to an external Web site. Unsuspecting users might try to click on something that appears to be a safe link hosted on MySpace, such as the "View My: Pics" link that appears in every profile. However, because of this hack, these users are actually taken to an external site. This redirection greatly increases the click rates seen with these attacks.

One music profile with over 12 million page views and over 435,000 friends uses this hack to link to a site that redirects users multiple times until they arrive at a MySpace phishing site. The first redirect is a JavaScript redirect to "thanks.php" in the same domain. It displays a simple message on the page. The second redirect is a 302 with the page hosted on a different domain. The page has been created to look like a MySpace URL.

First Redirect:


Second Redirect:



The profile also uses viral marketing techniques to encourage fans to copy and paste a snippet of code into their profiles. This code is supposed to give users updates about the band, but in fact it just spreads the same link to the MySpace phishing site.

We have monitored this profile and noticed that the link to the phishing site has been updated, presumably because the phishing site has been shut down.

MySpace Profile:


MySpace Phish Page:


Security Researcher: Ali Mesdaq