Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have called on
the internet community to act responsibly when exposing security
issues, after details of a widescale MySpace phish were published
that could have endangered thousands of users.
Today, several media reports indicate that MySpace users are the
latest victims of a phishing scam. Approximately 60,000 users were
recently targeted and directed to a scam page, which mirrored
MySpace's login page. Unknowing users entered login and password
credentials, which were then sent off to scammers.
Details of the phishing site's URL and a link to a live database
containing a list of the usernames and passwords stolen so far were
then posted to a publicly accessible internet mailing list.
Although presumably posted with the intention of warning others of
the dangers of phishing, with this information any web surfer could
easily steal the identities of innocent MySpace users just like the
original criminals who set up the phishing website.
Sophos is particularly concerned as many MySpace users are
teenagers, who may be targeted by hackers who wish to adopt their
identities to communicate with other young people.
"In most cases those who identify security flaws and phishing
sites go straight to the affected company in an effort to remove
the phishing website and, hopefully, to influence a flaw fix. They
do not publicly publish the results of the scam," stated Ron
O'Brien, senior security analyst at Sophos. "By directing people to
this information, not only have these individuals put people at
risk for identity theft, but they have armed criminals and deviants
with direct access to thousands of individuals, children and adults
alike."
Sophos confirms that phishing scams are a growing problem, but
calls upon the security community to act responsibly and to ensure
that businesses and consumers have the information they need to
stay secure from these attacks.
"Millions and millions of individuals have joined the internet
revolution. Social networking websites such as MySpace are
redefining how we interact with friends, colleagues and
acquaintances. In addition, these websites have given way to new
forms of attacks designed to steal personal information and invade
people's lives," continued O'Brien. "With the right information,
education and technology you can protect yourself. What you don't
need to defend yourself are links to databases containing tens of
thousands of stolen identities."