Phishers Attack MySpace with QuickTime Exploit Worm

Security researchers warn that phishers are manipulating QuickTime movies to steal MySpace authentication credentials.

Identity thieves are manipulating a feature in Apple Computers embedded QuickTime player to launch phishing attacks on the popular social networking portal.

According to a warning by San Diego-based Websense Security Labs, a fast-spreading worm is exploiting the JavaScript support in QuickTime and targeting a MySpace vulnerability to lure users to phishing sites.

The double-barreled attack is replacing legitimate links on users MySpace profiles with links to malicious sites cleverly masked to look legitimate.

/zimages/3/28571.gifClick here to read more about the dangers of rigged QuickTime movies.

"Once a users MySpace profile is infected—by viewing a malicious embedded QuickTime video—that profile is modified in two ways," Websense said. The links in the users page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the users site.

"Any other users who visit this newly infected profile may have their own profile infected as well," the company warned.

Details of the MySpace vulnerability first surfaced in a Nov. 16 post on the Full Disclosure mailing list that described how MySpaces navigation menu can be replaced with a malicious menu via CSS (Cascading Style Sheets) code in the attackers profile.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The flaw opens doors for a content-replacement attack that could be coupled with a spoofed MySpace log-in page to steal authentication credentials when the target is unexpectedly redirected to the attackers site.

Within weeks, security researchers noticed that rigged QuickTime movies were being used in conjunction with the vulnerability to propagate actual attacks.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.