Fraudsters have launched an attack which aims to trick Last.fm users into handing over their login credentials.

The assault is the latest example of cybercrooks applying phishing techniques towards Web 2.0 sites, such as Twitter and Last.fm, as well as the traditional targets of online banking and ecommerce sites. Part of the reason for this could be that some surfers tend to use the same passwords for low sensitivity sites, such as Last.fm, as well as more sensitive locations, such as webmail and even online banking accounts.

The attack against Last.fm users starts with a message to their Last.fm shoutbox that typically says “hey - check out this blog with ur pic" and an abbreviated URL. Music fans who follow the link are redirected to a faked Last.fm login screen.

The domain associated with the attack is hosted in China and associated with several previous login harvesting attacks, Trend Micro reports. Trend's write-up of the attack, including screenshots, can be found here. ®

Related stories

• Twitter, Facebook urged to improve security (22 July 2009)
• Dell tweets $3m in revenues (12 June 2009)
• Last.fm co-founders pack up record boxes (11 June 2009)
• Fake Outlook config scam aims to harvest logins (3 June 2009)
• MP 'devastated' over Facebook profile hack (1 June 2009)
• Judge throws the book at phishing fraudster (28 May 2009)
• Twitter typosquatting site preys on gullible (21 May 2009)
• Facebook users warned over renewed phishing assault (15 May 2009)
• Twitter breach gives behind-the-scenes Obama peek (30 April 2009)
• Last.fm goes payware (25 March 2009)
• Last.fm denies data handover to RIAA (23 February 2009)