Identity thieves are manipulating a feature in Apple Computers embedded QuickTime player to launch phishing attacks on the popular MySpace.com social networking portal.
According to a warning by San Diego-based Websense Security Labs, a fast-spreading worm is exploiting the JavaScript support in QuickTime and targeting a MySpace vulnerability to lure users to phishing sites.
The double-barreled attack is replacing legitimate links on users MySpace profiles with links to malicious sites cleverly masked to look legitimate.
“Once a users MySpace profile is infected—by viewing a malicious embedded QuickTime video—that profile is modified in two ways,” Websense said. The links in the users page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the users site.
“Any other users who visit this newly infected profile may have their own profile infected as well,” the company warned.
Details of the MySpace vulnerability first surfaced in a Nov. 16 post on the Full Disclosure mailing list that described how MySpaces navigation menu can be replaced with a malicious menu via CSS (Cascading Style Sheets) code in the attackers profile.
The flaw opens doors for a content-replacement attack that could be coupled with a spoofed MySpace log-in page to steal authentication credentials when the target is unexpectedly redirected to the attackers site.
Within weeks, security researchers noticed that rigged QuickTime movies were being used in conjunction with the vulnerability to propagate actual attacks.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.