Social networks are often subject to phishing and today MySpace is the target. MX Lab intercepted some messages from MySpace <firstname.lastname@example.org> – where * stands for random letter and number combination. The from address is obviously spoofed.
The body of the email:
Dear MySpace user!
Please be informed that you are required to update your MySpace account.
Please update your MySpace account by clicking here:
If you’re unable to click on the link above, copy and paste it into your browser’s address bar.
At MySpace we care about your privacy. This email is never sent unsolicited.
If you think you’ve received this email in error, or if you have any questions or concerns regarding your privacy, please contact us at:
8391 Beverly Blvd. #349
Los Angeles, CA 90048
©2003-2009 MySpace.com. All Rights Reserved.
The domains included are fast-flux domains to avoid Intent Analysis. The domain in this case is registered with the following details:
iuuuujef.co.uk Registrant: Joe Tentpeg Registrant type: Non-UK Individual Registrant's address: 5556 Butt hole Court Bum diddle 66545 Belgium Registrar: Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG] URL: http://www.123-reg.co.uk Relevant dates: Registered on: 09-Nov-2009 Renewal date: 09-Nov-2011 Last updated: 10-Nov-2009 Registration status: Registration request being processed. Name servers: No name servers listed. WHOIS lookup made at 11:19:48 10-Nov-2009
When we performed WHOIS lookups for other domains involved we noticed some irregularities. The registrant name is different each time but the address doesn’t fit at all. The zip code doesn’t match the country because the zip codes in Belgium are based on 4 numbers. We can assume that the registrant did used different details for registration in order to avoid detection by the registrar.