Con-men have developed a phishing attack targeting MySpace music fans that highlights the evolving use of social engineering techniques in money-making spam emails.

Junk emails featuring the attack have been spammed out to thousands of computer users around the globe in the last week, to trick them into visiting one of a series of bogus websites that pose as an online music store. The emails typically pose as MySpace contact emails, increasing the chances that prospective marks will be duped by the messages.

The message in the email informs recipients, "You've got a new song from <name> on MySpace!", and invites them to click on a link that directs them to a site claiming to sell MP3 music.

The sites, one example of which only had its domain name registered on 5 October and claims to be based in Lappeenranta in Finland, have no affiliation with MySpace, UK-based security firm Sophos reports.

The goal of the attack is to trick prospective marks into handing over their names and credit card information to fraudsters. In a bid to make the bogus email appear more legitimate, con-men have included fake MySpace boilerplate text in their messages.

MySpace boasts an estimated 43m users, far more than any online bank, so even though their spam emails are being distributed indiscriminatingly they are far more likely to reach users of the targeted service, as net security appliance firm Fortinet notes (http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-28.html).

Fortinet has recorded more than 50,000 of these spam emails over the past nine days. The attack, which originally targeted surfers in Japan, has spread worldwide and uses a variety of bogus websites. Users foolish enough to attempt to purchase music albums from these sites (offered at $2 or less) will find that their purchases don't do through. The sites are designed purely to harvest credit card details for subsequent fraudulent use. ®

Related stories

MySpace celebrity hacker downs hacking forum (7 December 2007)
http://www.theregister.co.uk/2007/12/07/myspace_celebrity_hack/
Pump-and-dump scammers debut MP3 spam (18 October 2007)
http://www.theregister.co.uk/2007/10/18/mp3_stock_spam/
Siphoning MySpace tunes using Safari (25 August 2007)
http://www.theregister.co.uk/2007/08/25/siphoning_myspace_tunes_with_safari/
MySpace sues Spamford Wallace (28 March 2007)
http://www.theregister.co.uk/2007/03/28/myspace_sues_spamford/
MySpace hackers avoid extortion rap (27 February 2007)
http://www.theregister.co.uk/2007/02/27/myspace_hack_sentencing/
Script wreaks havoc on MySpace (31 January 2007)
http://www.theregister.co.uk/2007/01/31/myspace_spam/
MySpace passes age verification buck to parents (17 January 2007)
http://www.theregister.co.uk/2007/01/17/myspace_zephyr/
Bubble bursts on Web 2.0 site membership claims (10 January 2007)
http://www.theregister.co.uk/2007/01/10/social_networking_user_numbers/
Phishing worm hooks MySpace users (5 December 2006)
http://www.theregister.co.uk/2006/12/05/myspace_phishing_worm/
IE and Firefox blighted by fake login flaw (23 November 2006)
http://www.theregister.co.uk/2006/11/23/fake_login_flaw/
Social Security phishing scam surfaces (9 November 2006)
http://www.theregister.co.uk/2006/11/09/social_security_phishing_scam/
US harbours one-in-four phishing sites (7 November 2006)
http://www.theregister.co.uk/2006/11/07/phishing_stats_october/
Wikipedia Blaster 'fix' points to malware (3 November 2006)
http://www.theregister.co.uk/2006/11/03/wikipedia_blaster_attack/
MySpace tries to block unauthorised tunes (1 November 2006)
http://www.theregister.co.uk/2006/11/01/myspace_gracenotes/
Domain resale market a 'haven' for phishers (31 October 2006)
http://www.theregister.co.uk/2006/10/31/domain_resale_market/
MySpace: social sites will never be friends (18 October 2006)
http://www.theregister.co.uk/2006/10/18/myspace_social_sites_not_friends/
Wired editor smokes out MySpace pedo (16 October 2006)
http://www.theregister.co.uk/2006/10/16/wired_myspace/
Secret Service grills MySpace teen (16 October 2006)
http://www.theregister.co.uk/2006/10/16/teen_myspace_protest/
Social networkers risk losing their identities (4 October 2006)
http://www.theregister.co.uk/2006/10/04/social_networking_security_survey/
Facebook mods controversial 'stalker-friendly' feature (8 September 2006)
http://www.theregister.co.uk/2006/09/08/facebook_climbdown/
A third of dodgy emails are phishing attacks (5 September 2006)
http://www.theregister.co.uk/2006/09/05/august_malware_report/
MySpace adware attack hits hard (21 July 2006)
http://www.theregister.co.uk/2006/07/21/myspace_adware_attack/
Phishers aim to hook MySpace users (5 June 2006)
http://www.theregister.co.uk/2006/06/05/myspace_phishing_attack/
Teen hack suspects charged over MySpace extortion bid (25 May 2006)
http://www.theregister.co.uk/2006/05/25/myspace_hack_charges/