Friday, November 09, 2007

MySpace Overcome By Severe Phishing 'Epidemic'

Cyber Superbug Invades Members' Friends Lists, Then Spams Relentlessly

Site Official Tells 'We've Stopped The Source'

NEW YORK (CBS) ― Social networking giant MySpace stumbled to its knees at the hands of a cyber superbug recently, falling ill to a severe phishing epidemic that is plaguing a vast and vulnerable segment of its membership.

The viral scam, which targets the site's younger users, promises victims a free $500 Macy's gift card.

It sounds like a steal. And actually, it is. It's the stealing of a member's identity.

The spam scam involves users unknowingly sending their MySpace friends e-mails and posting comments on their profiles that plug a ploy for the supposedly free gift card that they'll never actually see, touch, or spend.

In fact, to lead the younger members on, the ads are written in "kids-speak." One such posting starts off by telling the victim, "Hey dude, check it out! You ain't gunna believe this!"

Another one reads: "i'm just hittin you up, as a friend, to fill you in on this exclusive deal to get a FREE $500 Macy's Gift Card, yes, FREE! just answer a question or two and BOOM you got a shopping spree lol!"

Members fall into the phishing net by clicking on a provided link in the posting, which in some cases comes in the form of what looks like a video featuring a scantily-clad young woman. After clicking on the link, the member is taken to a faux MySpace login page where the user is asked to re-enter his or her username and password. That information, however, is actually being sent to the "phisher," a third party illegally acquiring the member's personal information.

The pain and suffering begins immediately and will continue until either the phisher is caught or the member changes his or her password, mainly because victims simply have no clue they're sending the e-mails until someone finally tells them.

"It is an epidemic on MySpace," PC Magazine Executive Editor Jeremy Kaplan tells "It is a big problem particularly because of the pervasiveness of MySpace. If you're in junior high, high school, college -- half the world seems to have MySpace pages -- so the younger you are, the more frequently you use it and the more likely you are to encounter this thing. It is a huge problem."

Kaplan says members are sending the spam without their knowledge because once their information is obtained, the phisher uses a robotic program to log onto the victim's account and then disseminate the ad to every single person on that member's "friends" list.

It has spread so fast and so thoroughly that the site has become, for many, an absolute nightmare to be a part of.

There's no way to tell for sure just how many users have been victimized, but the number is likely to be well into the thousands by now. Just browsing through various members' profiles, it doesn't take long to happen upon one that advertises the gift card scam.

"I was pretty upset, basically because I don't want people to think I would treat them that way," says Brad Engler, a 28-year-old musician from Baltimore whose account was infiltrated by the phisher. "I hoped that everyone would realize it wasn't me trying to get them to shop at Macy's."

In fact, Engler's friends are so tired of receiving his e-mails, which he says have continued for about two weeks, that his profile is highlighted by a barrage of comments from them scolding him for the spam. Placed atop his profile now is a banner that reads: "NO - I DIDN'T MEAN TO SPAM YOU."

PC Magazine's Kaplan says he doesn't think MySpace has done much to help solve the problem.

"It's gonna be interesting to see how MySpace reacts to the issue. They were very slow to deal with the MySpace predator problem -- it took a couple of weeks, months to address that -- and so with this crisis, maybe they'll move a little bit quicker," he says.

And move quickly the site claims it has. A MySpace official asserted to that it has already corrected the problem.

"Individuals who try to spam or phish our members are violating the law and are not welcome on MySpace," Chief Security Officer Hemanshu Nigam said in a statement. "We have identified and stopped the primary source of the Macy's Gift Card spam and are making every effort to identify and block the future spreading of this spam."

Nigam would not reveal details of the source's identity nor what, if any, charges have been filed, citing the fact there is an ongoing investigation.

Oddly enough, though, it seems that Macy's, which has joined MySpace to fight the phishing scam, is not aware the primary source has been stopped. In a statement to, a spokesperson for the company made no mention of anyone being caught.

"We are extremely concerned that individuals are being targeted in our name, and when we learn that another person or company is using our brand without consent, we work hard to stop it. However, this can take time, and it also can be difficult to do. Consequently we are advising consumers to protect themselves," the official said.

So how can you protect yourself from the phishing scam? First and foremost, if you think you're a victim, you should change your password immediately. But MySpace offers this advice to prevent phishing scams as well:

  • Install the latest operating system and auto-install for critical updates.
  • Use a firewall.
  • Use anti-virus and anti-spyware software and keep them updated.

Macy's has also posted a consumer alert on its Web site. Click here to read the alert.

And of course, there's simple common sense. If the deal looks too good to be true, experts say, don't believe the hype. It probably is.