Security whistleblowers should act responsibly, says Sophos

January 17, 2007 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have called on the internet community to act responsibly when exposing security issues, after details of a widescale MySpace phish were published that could have endangered thousands of users.

Today, several media reports indicate that MySpace users are the latest victims of a phishing scam. Approximately 60,000 users were recently targeted and directed to a scam page, which mirrored MySpace's login page. Unknowing users entered login and password credentials, which were then sent off to scammers.

Details of the phishing site's URL and a link to a live database containing a list of the usernames and passwords stolen so far were then posted to a publicly accessible internet mailing list. Although presumably posted with the intention of warning others of the dangers of phishing, with this information any web surfer could easily steal the identities of innocent MySpace users just like the original criminals who set up the phishing website.

Sophos is particularly concerned as many MySpace users are teenagers, who may be targeted by hackers who wish to adopt their identities to communicate with other young people.

"In most cases those who identify security flaws and phishing sites go straight to the affected company in an effort to remove the phishing website and, hopefully, to influence a flaw fix. They do not publicly publish the results of the scam," stated Ron O'Brien, senior security analyst at Sophos. "By directing people to this information, not only have these individuals put people at risk for identity theft, but they have armed criminals and deviants with direct access to thousands of individuals, children and adults alike."

Sophos confirms that phishing scams are a growing problem, but calls upon the security community to act responsibly and to ensure that businesses and consumers have the information they need to stay secure from these attacks.

"Millions and millions of individuals have joined the internet revolution. Social networking websites such as MySpace are redefining how we interact with friends, colleagues and acquaintances. In addition, these websites have given way to new forms of attacks designed to steal personal information and invade people's lives," continued O'Brien. "With the right information, education and technology you can protect yourself. What you don't need to defend yourself are links to databases containing tens of thousands of stolen identities."