Thwarting a large-scale phishing attack

Monday, June 11, 2007 11:35 AM

In addition to targeting malware, we're interested in combating phishing, a social engineering attack where criminals attempt to lure unsuspecting web surfers into logging into a fake website that looks like a real website, such as eBay, E-gold or an online bank. Following a successful attack, phishers can steal money out of the victims' accounts or take their identities. To protect our users against phishing, we publish a blacklist of known phishing sites. This blacklist is the basis for the anti-phishing features in the latest versions of Firefox and Google Desktop. Although blacklists are necessarily a step behind as phishers move their phishing pages around, blacklists have proved to be reasonably effective.

Not all phishing attacks target sites with obvious financial value. Beginning in mid-March, we detected a five-fold increase in overall phishing page views. It turned out that the phishing pages generating 95% of the new phishing traffic targeted MySpace, the popular social networking site. While a MySpace account does not have any intrinsic monetary value, phishers had come up with ways to monetize this attack. We observed hijacked accounts being used to spread bulletin board spam for some advertising revenue. According to this interview with a phisher, phishers also logged in to the email accounts of the profile owners to harvest financial account information. In any case, phishing MySpace became profitable enough (more than phishing more traditional targets) that many of the active phishers began targeting it.

Interestingly, the attack vector for this new attack appeared to be MySpace itself, rather than the usual email spam. To observe the phishers' actions, we fed them the login information for a dummy MySpace account. We saw that when phishers compromised a MySpace account, they added links to their phishing page on the stolen profile, which would in turn result in additional users getting compromised. Using a quirk of the CSS supported in MySpace profiles, the phishers injected these links invisibly as see-through images covering compromised profiles. Clicking anywhere on an infected profile, including on links that appeared normal, redirected the user to a phishing page. Here's a sample of some CSS code injected into the "About Me" section of an affected profile:

<a style="text-decoration:none;position:
absolute;top:1px;left:1px;" href=""><img
style="border-width:0px;width:1200px; height:650px;"

In addition to contributing to the viral growth of the phishing attack, linking directly off of real MySpace content added to the appearance of legitimacy of these phishing pages. In fact, we received thousands of complaints from confused users along the lines of "Why won't it let any of my friends look at my pictures?" regarding our warnings on these phishing pages, suggesting that even an explicit warning was not enough to protect many users. The effectiveness of the attack and the increasing sophistication of the phishing pages, some of which were hosted on botnets and were near perfect duplications of MySpace's login page, meant that we needed to switch tactics to combat this new threat.

In late March, we reached out to MySpace to see what we could do to help. We provided lists of the top phishing sites and our anti-phishing blacklist to MySpace so that they could disable compromised accounts with links to those sites. Unfortunately, many of the blocked users did not remove the phishing links when they reactivated their accounts, so the attacks continued to spread. On April 19, MySpace updated their server software so that they could disable bad links in users' profiles without requiring any user action or altering any other profile content. Overnight, overall phishing traffic dropped by a factor of five back to the levels observed in early March. While MySpace phishing continues at much lower volumes, phishers are beginning to move on to new targets.

Things you can do to help end phishing and Internet fraud
  • Learn to recognize and avoid phishing. The Anti-Phishing Working Group has a good list of recommendations.

  • Update your software regularly and run an anti-virus program. If a cyber-criminal gains control of your computer through a virus or a software security flaw, he doesn't need to resort to phishing to steal your information.

  • Use different passwords on different sites and change them periodically. Phishers routinely try to log in to high-value targets, like online banking sites, with the passwords they steal for lower-value sites, like webmail and social networking services.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


LoLo said...

"On April 19, MySpace updated their server software so that they could disable bad links in users' profiles without requiring any user action or altering any other profile content. Overnight, overall phishing traffic dropped by a factor of five back to the levels observed in early March.

^^^ Couple problems with that bit of info...

1. The solution from MarkMonitor they implemented wasn't retroactive. Only new links posted are being passed through that filter.
2. Said filter has yet to make it to links on actual profile pages. It's just being used in the profile comments section at the moment.
3. This filter has very little to do with the drop in MySpace phishing right now. The captcha added to the profile edit screen has had the biggest effect for sure.

/phishing is still a massively insane problem on there.

knightrd said...

Back in early March, I was a victim of one of these phishing attacks on Myspace when I visited the profile of someone on my friends list.

It's incredibly easy to fall victim to this attack. All I did was click the "Home" link on the profile of this person. All of a sudden, I get the Myspace homepage with a login box that appeared legitimate. Unfortunately, it took a few clicks before I realized what happened.

Talk about a pain! Luckily I was able to change my password before any damage was done. The only problem is changing passwords on dozens of sites because you can't tell what was or wasn't compromised.

I have a number of accounts that send passwords in plain text via email. I knew that they could easily get my Gmail address from Myspace. Then using Gmail it would be easy to search these emails out. With a bit of guessing, they might be able to figure out ways to get into more critical accounts.

All it takes is one account and who knows what else it might lead to? How many people use more than one password or pin #?

I think the sophistication of the attack I experienced was only the tip of the ice burg. I can imagine much nastier scenarios taking place. I immediately contacted Myspace... and I'm saddened by their slow response. The particular page that was compromised receives high traffic. I have no idea how other profiles were hijacked as a result of their slow response.

Raviratlami said...

माइस्पेस या ऐसी ही सेवाओं के प्रयोक्ता आमतौर पर साधारण कम्प्यूटर प्रयोक्ता होते हैं जो कि इन गंभीर कम्प्यूटर सुरक्षा कारणों और समस्याओं को न तो जानते हैं और न ही पूरी तरह समझ पाते हैं. फिर उनके पास इनसे लड़ने का कोई जरिया भी नहीं होता.

इस सारे आलेख को पढ़ने के पश्चात् यही बात समझ में आती है कि इंटरनेट अनुप्रयोग सेवा प्रदाताओं को ही ऐसे फिशिंग हमलों से अपने प्रयोक्ताओं को बचाने के लिए पुख्ता उपाय करने होंगे. तभी बात बनेगी.

एक आम उपयोक्ता के लिए सोफ़िस्टिकेटेड फिशरों से लड़ने की बात करना बेमानी ही है!

contact said...
This comment has been removed by a blog administrator.
LoLo said...

Just as an update to my previous comment...

Here's an except from an announcement Tom posted on MySpace a few minutes ago:

"Tonight we started using msplinks on profiles, just like we've been using them in comments. Whenever you save a url in your myspace page, we convert it to an msplinks url. This allows us to easily and instantly disable links sitewide. If a phishing link gets out into common use, we can turn it of instantly."

Can I have a cookie now? :P

LoLo said...

Another update, this one is from the Whoops Department...

Correction: MarkMonitor is not involved in the MSPLinks service, but is the domain registrar used by MySpace for domains including

The rest of my comments are factually correct.

P.S. Try to post a link on MySpace to this blog entry for some major LOLz. It's filtered as if it's spam or a spoof login page. I'm sure they'll fix that after reading this though.

/other innocent urls won't be as lucky.

Runescape Cheats&Tips said...
This comment has been removed by a blog administrator.
Andrew Goulding Articles said...

Hi, I just received this very dodgy email:



Dear G ma il Account Owner,
This message is from Gmail messaging center to all Gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused Gmail account to create more space for new accounts.

To prevent your email account from closing you will need to update so as to validate our user email database.


* Gma il! ID : ..........
Password : ...........
Date of Birth : ......
Country or Territory : ...........

Enter the letter from the Security Image : ........ 859304

Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.

Thank you for using Gmail !
Warning Code:VX2G99AAJ
The Gmail Team

which I'm ignoring but are there any official Google comments?


Nadelline Marie said...

To whom it may concern,

Dear Google,

I've signed up for Gmail since December 25, 2006. (on a different username)
But I keep seeing the year 2007 below the Gmail interface.
Everybody knows it's year 2008 now.
Have I logged on to a fake site?
Was I phished or pharmed?
Or was my HOSTS file poisoned?
What else could have happened to my computer?

Sorry for bothering you,
a Computer Internet Newbie

Sonicbids said...

Hey all,

My one problem with this is that I can't track the how much traffic my MySpace profile is bringing to my website. This is for a legitimate corporation and it is important data for myself, and likely many other legitimate businesses to have. How else can we easily understand the affect of our social networking. I am unable to use Google Analytics on the profile because MySpace doesn't allow javascript, and now I can't even use the Google URL Builder to track the link, because it is automatically converted to an msplink. Is there ANY way around this so that I can simply track the traffic moving back and forth through these websites?

Ron said...
This comment has been removed by a blog administrator.
info said...

Our guess is myspace will come out, eventually, with their own tool allowing companies to do a better job of tracking their individual sites. They will probably work with someone like google or awstats to provide this free of charge.

One easy thing you can do is simply use your myspace page as a landing page. Then have it directly link to your real site. You would then be able to track (on your real site) how many users came from myspace.

In the meantime there are tracking tools available. Just google "myspace tracking hits" to find a few of them.

Glorie said...

Every cybercitizen should be responsible and protect their private information. Visit for the Authority for Online Security for our future.