Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Tuesday, November 13, 2007

TIME to face facts, Myspace

Yep, Time.com just covered the whole Myspace hacking thing (note that its the second top story on Time.com, behind Decapitation: Mafia Adaptation which is quite possibly the greatest headline ever). However, what I want to do is focus on just one portion of the article - specifically, the bit where some guy from Myspace says a bunch of stuff. Pay attention, now:

"Her profile was phished," says Nigam, "which means that whoever is managing her site probably input their user name and password where they shouldn't have,"

"Her" refers to Alicia Keys. So again, Myspace are going with the phishing angle. But wait - further down the page....

"MySpace says it has discovered and removed links to the same Chinese site embedded on up to 50 other pages, but declined to identify which pages had been infected."

This is a spectacular own goal. Why?

Well, look at it this way. Myspace freely admit they fixed 50 pages - so in addition to the 25 or so I already found, and in addition to the total that whoever else, from Sunbelt to Roger Thompson, also came across, and in addition to the still undiscovered pages out there that carry this hijack - they still expect us to believe all of those pages got phished in the space of a week or so?

That something in excess of 70 or 80+ pages related to bands ALL GOT PHISHED in the space of a week or two because every single person running those pages suddenly got hit with the stupid stick and clicked a bogus login link? That bands who were unfortunate to get hacked TWICE IN A WEEK were crazy enough to get phished once, then TWICE?

Sorry man, I know ten year olds on Myspace who don't get stung like that.

Phish scams on Myspace are pretty rampant - but every single band I have spoken to swears blind they didn't click a stupid link, or got sent a spurious email, or handed over their credit cards to the wallet inspector, and I believe them. What's more, nobody (as yet) seems to have a single shred of evidence as to these phantom phish links. Where are they? Why hasn't anyone seen one? When are we going to make a definite link between phishing and band hacks?

And the other reason why this is a spectacular own goal? Well, fifty compromised pages is a lot of potential traffic to a hijack website. Three pages alone had in excess of 8,000 friends. So with that in mind, I find this whole idea of keeping those hacked pages under wraps to be vaguely irresponsible. Rather than take another press hit - because it's entirely possible that any of the fifty fixed pages could be for major artists - Myspace would rather drop the cloak of anonymity.

That's great, except it leaves anyone who might have visited a band page in the last week or so completely in the dark as to whether or not they need to run a few antispyware scans. The final nail in the coffin is that Myspace seem incapable of blocking / filtering out two or three Chinese URLs.

Well done Myspace, a winner is most definitely you.

Labels:

posted by paperghost at 7:58 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.