R&B recording artist Alicia Keys’ MySpace page was hacked not once but twice this week, according to Exploit Prevention Labs.
The first attack, likely done early in the week, affected visitors viewing virtually any part of Keys’ page, Exploit Prevention’s Chief Technical Officer Roger Thompson reported on Thursday. For visitors running unpatched Windows machines, it would install malware in the background. Then, it used the promise of a Keys video with a fake codec to lure victims into manually launching an exploit that would infect patched machines as well.
“It gets you one way or another,” Thompson said in his YouTube video illustrating the hack. Either way, the result would “probably install a root kit or change your DNS (domain name system) to point to their DNS.”
“It’s very dangerous,” he added.
The attack used an href code, not an iFrame, and was perpetrated in just one line of the 2,900 underlying Keys’ page. The guilty party, Thompson found, was a site known as “c08vd.cn/s.”
Within a few hours of Thompson’s original report, that hack was fixed by MySpace. Amazingly, just a few hours later, another attack on Keys’ page was made, this time with an href image reference to acilot.cn/s/, Thompson reported on his blog.
Casting a Wide Net
“This is an interesting technique and is going to catch a lot of people,” Thompson said. Fake codecs wouldn’t work well in a more text-based context, but in a media-rich page such as on MySpace, “there’s every expectation you’ll get a video, and it’s not unreasonable to think you might have to install something.”
The big question, he added, is how many other pages at MySpace have the same link maliciously installed. Thompson has uncovered a few, but the link is not indexed by either MySpace or Google, so “we have no way to determine just how widespread it is,” he said.
In addition to using the media-rich context of MySpace, where users fully expect to launch videos and players, the attack also exploits the trust on which many social networking sites are built, Rob Enderle, president and principal analyst with Enderle Group, told TechNewsWorld.
Abuse of Trust
“This points to one of the problems in the social networking space, which is that they are based on trust,” Enderle explained. “Someone else can take advantage of that trust and the people using the trusted site.”
The same kind of trust abuse is behind the problems some social networking sites have had with sexual predators, Enderle noted.
This type of attack is very common; what’s new is that it used the pretext of MySpace, added Johannes Ullrich, chief technology officer at the SANS Institute.
The combination of video prevalence plus the trust of the site makes it easier to get unsuspecting victims to follow malicious links, Ullrich told TechNewsWorld.
Difficult to Prevent
Unfortunately, there is not much MySpace or users can do to prevent this type of attack from happening again, Ullrich said
“MySpace gives users the platform to create pages at will, but they can’t validate every single link people put on their pages,” he explained. “They have some systems in place, but those are limited to detecting known bad links.”
As a result, such attacks will likely become a trend, Enderle said.
“The folks doing these phishing attacks are doing it largely to make money, and they will use any mechanism possible,” he said. “Social networking sites are an ideal mechanism.”
The attack suggests that users should take extra care in controlling who they invite as friends, but for entertainers and other public figures, it may mean MySpace is not the best way to stay in touch with fans, Enderle said.
‘If in Doubt, Don’t Watch It’
“How can an entertainer possibly vet all their fans?” he noted. “Using social networks may be cheap, but the trade-off could be exposing their entire fan base.”
In general, users should be cautious about installing players and codecs, Ullrich added.
“It’s hard to teach users not to install them, and the dialog box differences are very subtle in malicious ones,” he noted. “It’s asking too much of users to expect them to be able to recognize them.”
The only rule of thumb is, “if in doubt, don’t watch the video,” Ullrich concluded. “Ask yourself if it is really worth watching the video and risking getting infected.”