MySpace users warned of drive-by exploit attack

Researchers are warning of a widespread MySpace drive-by exploit attack meant to compromise machines so more highly-profitable phishing schemes remain successful.

MySpace users become infected when they visit a profile page containing malicious JavaScript and then are silently redirected to an Internet Explorer exploit, which was patched in April, Johannes Ullrich, chief research officer of the SANS Internet Storm Center, told SCMagazine.com today.

The exploit installs a common proxy network bot, known as a flux bot, which is used to hide phishing sites behind constantly changing proxy servers, Ullrich explained. The cybercriminals, in other words, use their newly compromised PCs to hide the tracks of unrelated phishing scams targeting banks and other financial institutions.

"It’s lends some secrecy to the scam and it makes it harder to shut down," he said. "Now, the actual machine (the victim) is connected to get to the phishing site changes by the minute. You can’t easily block them. It’s not that obvious."

The botnets are also being used to send spam, Ullrich said.

Potentially thousands of MySpace pages could be infected with the malicious worm, but the infected profiles are "being shut down really quickly," he said.

A spokesperson for MySpace, which has more than 100 million members, could not be reached for comment.

Ullrich said cyberthieves traditionally tailor their worms for MySpace and other social networking sites because of the younger demographic that use them.

"It has a lot of non-technical users who do not patch their browsers," he said. "People are not that careful. They may visit MySpace thinking [it’s] a big a company and not realising the content of the pages comes from the average user."

MySpace has been the victim of a number of attacks over the past year. Vincent Weafer, head of Symantec’s Global Security Response, said MySpace users are often easily duped into giving up their credentials.

"If I can get into your trusted group, I may be able to get information out of you," he said.

Colin Whittaker of Google’s Anti-Phishing Team wrote on the company’s security blog recently that many users are tricked into giving their usernames and passwords so crooks can send spam from their account or – worse – use that same log-in information to access their bank accounts.

Sign up to our newsletters