Last.fm phish strikes a bum note

Fraudsters have launched an attack which aims to trick Last.fm users into handing over their login credentials.

The assault is the latest example of cybercrooks applying phishing techniques towards Web 2.0 sites, such as Twitter and Last.fm, as well as the traditional targets of online banking and ecommerce sites. Part of the reason for this could be that some surfers tend to use the same passwords for low sensitivity sites, such as Last.fm, as well as more sensitive locations, such as webmail and even online banking accounts.

The attack against Last.fm users starts with a message to their Last.fm shoutbox that typically says “hey - check out this blog with ur pic" and an abbreviated URL. Music fans who follow the link are redirected to a faked Last.fm login screen.

The domain associated with the attack is hosted in China and associated with several previous login harvesting attacks, Trend Micro reports. Trend's write-up of the attack, including screenshots, can be found here. ®