Phishers Attack MySpace with QuickTime Exploit Worm

Identity thieves are manipulating a feature in Apple Computer’s embedded QuickTime player to launch phishing attacks on the popular MySpace.com social networking portal.

According to a warning by San Diego-based Websense Security Labs, a fast-spreading worm is exploiting the JavaScript support in QuickTime and targeting a MySpace vulnerability to lure users to phishing sites.

The double-barreled attack is replacing legitimate links on users’ MySpace profiles with links to malicious sites cleverly masked to look legitimate.

Click here to read more about the dangers of rigged QuickTime movies.

“Once a user’s MySpace profile is infected—by viewing a malicious embedded QuickTime video—that profile is modified in two ways,” Websense said. The links in the user’s page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user’s site.

“Any other users who visit this newly infected profile may have their own profile infected as well,” the company warned.

Details of the MySpace vulnerability first surfaced in a Nov. 16 post on the Full Disclosure mailing list that described how MySpace’s navigation menu can be replaced with a malicious menu via CSS (Cascading Style Sheets) code in the attacker’s profile.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet’s Security IT Hub.

The flaw opens doors for a content-replacement attack that could be coupled with a spoofed MySpace log-in page to steal authentication credentials when the target is unexpectedly redirected to the attacker’s site.

Within weeks, security researchers noticed that rigged QuickTime movies were being used in conjunction with the vulnerability to propagate actual attacks.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine’s eWEEK Security Watch blog.