MySpace Phishing, Spyware, Identity Theft

Let me say first off that I am, generally, a MySpace fan. I’m active on there, and my teenage son and my two older stepsons all have accounts.

But you’ve got to be careful on there. Last Thursday I spent the better part of a day cleaning off spyware and a Trojan virus from my son’s machine. I had some precautions in place, but obviously not enough. I won’t go into the whole story, but we’re about 98% sure that it came not directly from MySpace, but from the page of someone who sent my stepson a private message.

It was a particularly nasty virus, known as a keylogger, which records keystrokes from your computer and sends anything interesting — user names and passwords, credit card numbers, social security numbers, etc. — to a hacker somewhere who collects them, presumably for identity theft purposes.

Turns out there’s another little disturbing fact about MySpace that I was unaware of… it seems you don’t have to actually have a valid e-mail address to use MySpace. In fact, apparently you can register under someone else’s address, as Auren Hoffman writes about in Assuming an Identity on MySpace:

That’s right … I can sign up on MySpace under your email address and assume your identity. MySpace does send an email to verify the email address – but you do not have to click on the verification email to use MySpace. You can still do everything on MySpace you’d always do – like creating an account, adding pictures, adding friends, and generally being active on MySpace. You can assume anyone’s identity on the number one site in America. But this is only if that email address was not used to sign up for an account.

He goes on to note that many people will just ignore the verification e-mail from MySpace, thinking that it’s not a valid one – perhaps a phishing scam – since they didn’t sign up themselves. If they ignore it, though, then someone else now has a MySpace account in not only their name, but their e-mail address as well.

The danger? Auren explains:

Though this can be fun and tame … like me signing up as Clark Kent @ superman.com … it can also be used for malicious purposes. Someone can assume another person’s identity, get people to trust them, and be fooled when that person goes to verify their email address in MySpace (which is the only way to verify someone today).

So what can you do to protect yourself?

First, install good anti-virus and anti-spyware software. If you just want to pay for this, you’re welcome to, but there are some excellent free solutions out there. I have tried most of them, and the ones that in my experience consistently find and fix things the others can’t are AVG Anti-Virus and Anti-Spyware.

Beyond that, MySpace offers some safety tips, but they fall way short. At the other end of the spectrum, I think some of the parent-oriented sites and privacy-advocate sites go a little overboard. I recommend Rock Safe from MyCityRocks, which offers practical and realistic guidelines to help users of social networking software protect their identity and participate safely.

Finally, download a free copy of The Virtual Handshake and read Chapter 16 on Privacy & Safety.

Have fun, be safe, and feel free to stop by and connect with me on MySpace.