Phishers Attack MySpace with QuickTime Exploit WormBy Ryan Naraine | Posted 2006-12-04 Email Print
Security researchers warn that phishers are manipulating QuickTime movies to steal MySpace authentication credentials.Identity thieves are manipulating a feature in Apple Computer's embedded QuickTime player to launch phishing attacks on the popular MySpace.com social networking portal.
The double-barreled attack is replacing legitimate links on users' MySpace profiles with links to malicious sites cleverly masked to look legitimate.
"Once a user's MySpace profile is infectedby viewing a malicious embedded QuickTime videothat profile is modified in two ways," Websense said. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site.
"Any other users who visit this newly infected profile may have their own profile infected as well," the company warned.
Details of the MySpace vulnerability first surfaced in a Nov. 16 post on the Full Disclosure mailing list that described how MySpace's navigation menu can be replaced with a malicious menu via CSS (Cascading Style Sheets) code in the attacker's profile.
The flaw opens doors for a content-replacement attack that could be coupled with a spoofed MySpace log-in page to steal authentication credentials when the target is unexpectedly redirected to the attacker's site.
Within weeks, security researchers noticed that rigged QuickTime movies were being used in conjunction with the vulnerability to propagate actual attacks.