Friday, October 06, 2006

Phishing Myspace?

Today I received the following email:

Subject: New message from Stephen on MySpace sent on Oct 06 08:10:01 -4 2006
From: New MySpace Message <rideable@crypterion.com>

You've got a new song from Stephen on MySpace!

Click here to hear your MySpace music:
http://myspace.mp3shest.com/?reloc.cfm=6&id=xxxxx


Click here to get 5-free songs downloaded to Your Space:
http://myspace.mp3shest.com/?reloc.cfm=6&id=xxxxxxxxxx_5free

-------------------------

At MySpace we care about your privacy. We have sent you this
notification to facilitate your use as a member of the MySpace service. If
you don't want to receive emails like this to your external email account
in the future, change your Account Settings to "Do not send me
notification emails"

Click here to change your Account Settings:
http://myspace.mp3shest.com/?account.settings=update=6&id=xxxxx

MySpace Inc. - 1900 Wilshire Blvd. 2109, Los Angeles, CA 90403-5400 USA

©2006 MySpace Inc. All Rights Reserved
What's interesting is:
  • I don't have a myspace account, so this is clearly some form of SPAM
  • The links in the mail all have a hostname that is within mp3shest.com, not myspace.com - a dead ringer for SPAM Attacks)
  • The domain (mp3shest.com) was registered yesterday (raises BIG red flags for me)

At first I thought this was a phishing attempt, but why would someone want to phish an account there? I understand attempts to phish ebay, paypal, my bank, etc. I don't understand phishing MySpace.

Another thought, since the message seems to be directed at getting me to download a song, perhaps the real attack is to get me to download a trojan. I poked at the site with care (with Mozilla, not IE, of course), but didn't get too far before I just closed the browser.

Moral of the story: If your kids are using email, talk to them about phishing, scams and trojans. If they are also using MySpace, mention this attack in particular.

UPDATE: 14 Oct 06 - I received a new one of these today, this time with the system name myspace.mp3vosem.com which again is in a domain (mp3vosem.com) that was only registered recently (11 Oct 06) and registered by the same guy (Alex Rodrigez) theoretically in Finland registred in a domain registrar in China (Capitol Networks PTY, LTD). - For those who don't know, you can use the whois program (available at man locations online including Network Solutions) and just enter the last two portions of the sytem name (mp3vosem.com in this case).

Another interesting tidbit is that they must be getting hit by SPAM filters because they are adding a whole bunch of random junk at the end of the mail to try to confuse the filters.

UPDATE 2: 14 Oct 06 - they must be having some level of success because now I'm getting songs from Debra and John in addition to Stephen and they've tried several addresses of mine including one that I use exclusively with Ebay (guess I've gotta change that one). I think the hope here is that one of the names will match one of my friends' first name and so I will be more likely to think it legit -- another thing to be careful with (messages that look like they are from a real friend).

Tags : / / / / /

2 comments:

Paul Madsen said...

Maybe they're phishing for a password in hopes that you've used it elsewhere .

Anonymous said...

Alex Rodrigez (note the spelling) is a well-known spammer. I have had many, many, of his spamvertised sites shut down. He is usually involved in selling pirated software and counterfeit drugs. This is the first time I have seen him try a phishing attack.

I also find it bothersome that he has switched registrars. He used to prefer to do his registrations through pacnames.com, a registrar that claims to operate out of new zealand (though yet use a phone number in colorado, USA). Even though a NZ registrar doesn't have to obey the rules of the USA - and NZ has no anti-spam legislation currently in effect - at least they speak english and can be reached in english. If he has switched to a Chinese registrar then that all goes away.