Network News

X My Profile
View More Activity

MySpace Video Worm Pimps Adult Content

A password-stealing computer worm broke out in the Myspace social-networking universe over the weekend, with the perpetrators using hijacked accounts to blast out junk messages seeking to gin up traffic to several porn sites, including some sponsored by an adware company that just last month settled a landmark $3 million consumer deception case brought by the Federal Trade Commission.

The worm steals victims' usernames and passwords by transparently replacing the links in the victim's blog that a MySpace user would normally click on to log into and out of their accounts. Upon clicking one of those links, an unknown number of Myspace users were redirected to multiple third-party sites that hosted fraudulent copies of MySpace login pages.

All that a MySpace user needs do to fall victim to the scam is visit an infected user's "about me" page. According to the FaceTime Security Labs blog, a victim's profile page will be altered with an odd, blue site navigation banner at the top with all of the links pointing to the same fake MySpace user login pages. Infected profiles also are seeded with a copy of the malicious video.

Hovering over any of the navigation links in the "about me" page of a Myspace account still compromised by this attack shows that they all try to take the user to the same bogus user login pages. (Screenshot by Brian Krebs)

This scam is powered in part by an ill-conceived feature included in Apple's QuickTime video player software that allows embedded video files to load Web content from other sites. This attack also apparently involved a recently disclosed programming flaw on Myspace's site, which allowed for the manipulation of MySpace users' profile pages.

Even infected Myspace blogs whose authors have the poisoned QuickTime video and malicious links scrubbed from their pages can expect to get reinfected when other Myspace users on their "friends" lists get hit by the worm, says this alert sent out by MySpace administrators. Victims should remove infected blogs from their "friends" lists until those MySpace users take action to clean up their own pages. Myspace users who notice odd changes to the MySpace site navigation bar, or unapproved messages being mass-spammed from their accounts, should consider their accounts stolen and change their passwords.

I read on one MySpace forum about how infected MySpace accounts sent spam messages promoting pornographic Web sites to random user accounts every six seconds. Such an aggressive attack has the potential to spread quite rapidly among MySpace's 80 million-or-so users.

Users who enter their credentials into one of these password-stealing sites may soon find their accounts being used to blast out junk messages to others advertising the online adult content. Included with the messages, says FaceTime, is a screenshot of a pornographic film that if clicked leads the visitor to a porn site that links to a bunch of other porn sites sponsored by embattled adware purveyor Zango. This new fiasco can't look good for them. Just a month ago Zango agreed to pay $3 million to settle Federal Trade Commission charges that it profited through deceptive distribution methods.

Allowing QuickTime videos to silently load interactive Javascript content and commands seems like a pretty bad idea from a user-protection perspective. Allowing QuickTime vids to be embedded like that in massive social networking sites strikes me as an invitation to disaster.

I clicked on a bunch of the navigation links on one infected Myspace blog that I found, and it looks like the links to the scam login pages are presently unreachable. But the bad guys behind this attack are probably already adapting. A MySpace blog called "Burnt Pickle" has an engaging account of the cat-and-mouse game between Myspace administrators and the fraudsters behind this attack, as the bad guys kept adjusting their attacks based on changes the admins were making to the system. The Burnt Pickle says we can expect attacks like these to continue as long as MySpace allows embedded QuickTime files.

"This is just a temp fix though. They'll need to ban QuickTime files if they want to prevent this kind of stuff from happening on a daily basis."

The Pickle may be right. Online scam artists just don't seem to pass up these kinds of opportunities anymore, I'm afraid.

Anyway, Firefox users can use add-ons like "noscript" to block sites from loading Javascript unless specifically allowed. But the problem is that noscript works on a per-domain basis, so if a Myspace user decides to permanently allow Myspace to load Javascript because he wants to see some wacky MySpace blog that requires it, he's effectively trusting that the other 79 million-odd users on Myspace aren't trying any funny business with Javascript.

If anyone knows of a noscript equivalent add-on for Internet Explorer 7, please drop me a line or leave a comment below with more information. The AdBlock add-on for Firefox also can help users block certain file types -- all .".mov" (Quicktime) files, for example -- from automatically opening or playing when you merely browse a MySpace page.

By Brian Krebs  |  December 4, 2006; 12:12 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Federal Reserve E-Banking System Outages
Next: How Not to Distribute Security Patches

No comments have been posted to this entry.

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company