Leading social networking site MySpace was forced to shut down hundreds of user profile pages after a combination worm and phishing attack struck the site over the weekend.
The worm, discovered late last week, targeted the Javascript support code associated with Apple’s QuickTime player in conjunction with a vulnerability in MySpace itself. MySpace enables users to embed the QuickTime video and audio player into their personal pages.
On the pages hit by the attack, the worm converted legitimate links to those that brought users to a phishing site that attempted to obtain personal information, including their MySpace username and password. Having that information could enable a third party to pose as a MySpace user and perform additional fraudulent activities.
MySpace did not respond to requests for comment. Also, it was not clear whether any MySpace users had fallen victim to the phishing scam, but Websense Security Labs, which first reported the attack over the weekend, said MySpace had apparently removed all profiles that had been affected by the attack by late Monday. All but one of the phishing sites had been shut down as well, Websense said.
The attacks are not the first to target MySpace users, and the site will likely find itself more in the crosshairs of hackers and malicious code writers.
Top of the Charts
For one thing, the site is now among the most popular on the Internet — Hitwise reported it surpassed Yahoo as the most visited site in the U.S. over the summer.
In addition, the linked-together nature of MySpace, which encourages users to build out their network of “friends” by creating links with others they don’t yet know, may lend itself to the type of social engineering required to make phishing attacks effective.
Websense noted that the latest attack exploited a vulnerability in MySpace itself that was widely announced two weeks ago through the Full Disclosure mailing list.
Users had their profiles infected by viewing a QuickTime video that contained the malicious code. Links on their page were then replaced with links to the phishing site and the video itself was loaded onto the page.
In June, Websense warned of a phishing attack aimed at MySpace users. In that case, users were receiving instant messages purporting to be from fellow members.
Instead, the messages contained links to a phishing site that was designed to look like the main MySpace home page. If users logged in through the site, the phishing site captured their usernames and passwords.
Open Doors, Let in Worms?
Some security experts believe the reams of user-generated content that is the bulwark of so-called Web 2.0 applications make it easier for some types of viruses to be spread, and may even make such sharing sites more common vehicles for spreading viruses and other malware than e-mail.
Last month, the popular Wikipedia, which lets users update entries, was hacked, allowing a page loaded with malicious code to be added to the site.
“A big part of making these types of attacks, especially phishing attacks, effective is the social engineering that goes into it,” Sophos Senior Technology Consultant Graham Cluley told TechNewsWorld. “The MySpace brand has quickly become a household name. It was only a matter of time before spammers jumped on its popularity for illegal purposes.”
Cluley noted that a spam attack in October tried to direct recipients to a fake MySpace page under the guise of a free music offer, and that in early 2005, a New York teenager was arrested for spamming 1.5 million users of the then-nascent MySpace, suggesting malicious code writers and phishers have long recognized the opportunity the MySpace user base represents.
“Any company on the Web that sees the kind of growth MySpace has experienced is bound to become a target,” he added.