Just like any normal Myspace user, I tend to browse my friends bulletins to see if there is anything of interest that might catch my eye. A Myspace bulletin is like an announcement message, it gets posted to all of your friends bulletin boards for them to see. So, a few days ago, I came across a bulletin from my Myspace “friend” and digg.com founder, Kevin Rose. (I don’t know Kevin, he’s my “friend” in the loosely connected, easily created Myspace way.)

The URL in the bulletin from Kevin takes you to hxxp://stalkertrack.com.

It’s highly unlikely that Kevin intended to send this bulletin. It should be noted that this was not an isolated incident.

This piqued my interest, so I decided to “digg” a little deeper to find out why a few web-savvy folks would openly give out their login credentials to a service that is not promoted or supported by Myspace itself, and is even actively discredited by the Myspace founders.

As of this post, Stalkertrack has been up and running since January of 2007, with the first reported rumblings of this scam being reported back in March.

Upon clicking the image in the bulletin above, you arrive at their homepage:

They offer a demo page to test drive the “tracker” so that potential users can get a sense of what it looks like and perhaps gain their trust that it is legitimate.

So, let’s say you believe the hype and you want to see who is tracking your profile. You can follow a link where you will end up at a promotion page where they make it clear to you that they are NOT and I repeat, NOT a phishing page!

No, this is not a “phishing” page.

Phishing is the act of spoofing or tricking people into giving away
sensitive private information with the intent to steal from them
or perform other criminal acts.

This site does not attempt to fool anyone into doing anything
that would hurt them.

This site offers a legitimate tell-a-friend service.

Everything is fully disclosed in the privacy policy and
terms of service included on the page.

Obviously, by posting this message, they’re hoping to quell your fears by letting you know that they’re not bad guys. Imagine if people you passed by on the street assured you that they were not thieves and that they had no intention to reach into your pockets and steal from you. This is clearly a red flag.

OK, so you want to sign up for the tracker. But, where is the tracker, anyway?

So why can’t I get it today?

Unfortunately the tracker is not available to you guys yet.

When will it be available?

Well as soon as we have enough interest and people signed up to receive it, that’s when we will know we will make enough money to help support it, and that’s when we can release it to you guys.

So when it becomes available, how do I get the tracker?

If you want to get the tracker these are the two steps you must do:

Step 1. Read our terms below.

Step 2. Login to the tracker promoter form in the top right with your MySpace email and password. This will set off an automated script that will help us spread the word about it. After we have enough interested members, we will send you a message to your myspace email with the instructions to get your tracker.

Note: If you enter inaccurate information in the tracker promoter form, we will not be able to find you to give you your tracker.

Thank you so much!

This is yet another red flag.

To avoid any liability, they conveniently present a Terms of Use / Privacy Policy at the bottom of the page, where they actually disclose what they plan on doing with your login credentials.

Terms of Use / Privacy Policy:

By filling out this form, you authorize Blue China Group, Ltd to spread the word about this 100% real and ONLY working profile viewer. You will receive your share of the credit in helping us launch the tracker. This is a harmless profile tracker site that is coming soon and looking to spread the word.

We do not share your private information with any third parties.

By using our promotion form you hereby fully authorize Blue China Group, Ltd to send messages of a commercial nature via bulletins and comments on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before filling out this form.

[...]

We may do a combination of the following based on your friends’ interest.
1. Temporarily access your MySpace account for the following purpose(s).
2. Post “tracker information” bulletins in the appropriate section.
3. Comment your friends about this tracker.
4. Post a blog about our tracker for your friends to read.
5. Customize your blog header html with a clickable tracker ad image.
6. Send a batch of blog invites on your behalf.
7. Introduce new entertaining sites.

By submitting your Myspace credentials using the form on the page, you are confirming that you have read this agreement and that you agree to allow Blue China Group to do whatever they please with your account.

So, is this a phish? Well it’s not a phish in the classic sense of the term: Blue China Group is not attempting to pose as Myspace in order to trick you into divulging your Myspace credentials. But, they are clearly attempting to mislead you. Perhaps this is similar to the way a multi-level marketing scheme isn’t illegal per se, but is definitely suspicious (if not malicious) in intent.

I think this is indicative of an important trend for phishing in 2008. As more of your personal data heads online, phishers are going to target more than just your banking information. We’ve already seen malware and phish targeted at stealing online gaming logins and resumes; social networks are clearly on the bad guys’ radar.

It’s also worth noting that this entire attack relies on social engineering. As has often been mentioned in our blog, despite the attention that software vulnerabilities receive, your most vulnerable attack surface remains your users’ collective web savvy. Training is your most effective weapon for this.

This issue should be of particular interest to teachers tasked to teach technology in K-12 schools. This is the perfect opportunity to talk to students about online privacy and safety. Myspace is their language, now you can give them an example that will resonate with them.

Tags: myspace, Phishing, scams, training, users

This entry was posted on Thursday, December 6th, 2007 at 12:42 pm and is filed under Phishing, Security Best Practices, Web 2.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.