Singers MySpace Page Hacked, Cleaned, Rehacked

Updated: MySpace promptly cleaned up Alicia Keys' booby-trapped page, which was promptly reattacked.

MySpace has been breached by an attacker whos planted malware and a fake codec on a number of musicians sites, most notably, that of Alicia Keys, a popular singer whose site was booby-trapped, cleaned up for a few hours and promptly rehacked.

Exploit Prevention Labs Roger Thompson said in a Nov. 8 posting that MySpace fixed Keys page, which had been rigged with an HREF image reference to the fake codec, within hours of EPLs having posted a videotape of the exploit.

Hours after getting cleaned up, the site was once again crawling with malware that would snare anybody with an unpatched system who even came close to clicking on anything on the page. Thats because of a new twist that an EPL spokesman said hasnt been seen before: The HTML in the page contains some sort of very large image map that spans 8,000-by-1,000 pixels.

"A click that slightly misses a control or link on the page ends up going to the exploit site," Thompson said in his posting about the initial site compromise.

The malware is being hosted in China and is installing rootkits and probably DNS (Domain Name System) changers, he said. DNS changers are the same thing being installed by a well-known family of Windows Trojans, the controllers of which have recently started targeting Macs as well.

DNS changers are also a well-known calling card of the Russian Business Network, an infamous ISP that hosts a gamut of online nastyware, from child porn sites to money laundering.

"This could easily be the same group that recently started watching for Mac users and offering a Mac Trojan as needed, and if thats so, will also add to the effectiveness of the attack," Thompson wrote.

The original hack—to the HTML image reference—disappeared from the HTML after MySpace cleaned it up, only to be replaced with a similar HREF image reference, to, within a few hours of being clean.

When a visitor visits the infected page, theyre first hit by an exploit that installs malware in the background if their system is not fully patched against the latest security vulnerabilities. The victim is next presented with the fake codec, with a message telling them they need to install a codec to view the video. The attack is thus multilayered and still has a chance to ensnare users with fully patched systems if they click on the fake codec.

The chance that a MySpace user would click on a link to download a codec are good, Thompson said.

"The fact that this site is media-rich, with lots of sound and videos, means that the fake codec trick will be much more effective," he said in his first posting. "The clicker is probably expecting to see a [video] or hear a song and is quite likely to think he genuinely needs to install something extra."

MySpace has been the target of a rising number of attacks, Thompson said, including a number of links added purportedly as comments from friends at the end of October. Those bogus comments linked via MySpaces open-redirector (MSPlnks) to exploit sites in China, he said.

The intricacies of the URLs led to it being impossible for humans to detect the bad links. "All myspace friend-comments seem to automatically redirect thru MSPlinks, probably as a way to try to filter out spam and phishing, but a downside is that the URL is base64-encoded, and is thus impossible for a human being to eyeball, and therefore possibly reject ... the effect of the well-intentioned msplinks is thus to make an open-redirector," Thompson said.

In June, MySpace was also hit by a worm that was turning users sites into bots to serve phishing scams and viruses, using "fast flux" to hide its phishing and malware delivery sites behind ever-shifting networks of proxy servers that are next to impossible to track down.

The current attack is worrisome in that it doesnt amount to a simple case of crooks getting their hands on musicians user names and passwords. Other bands that have been hit by the same attacker or attackers include the French funk band Greements of Fortune and the Glasgow rock band Dykeenies.

Whats not clear, Thompson said, is how the attackers are compromising MySpace, nor how widespread the attack is, given that neither Google nor MySpace was indexing the malevolent piece of HTML as of Nov. 8. A quick Google search Nov. 9 similarly led only to victims testimony or news reports.

MySpace provided a statement that gave no clue as to how widespread the attack has been, how many sites were affected, nor how the attackers penetrated MySpaces defenses twice in a few hours. The company did say, however, that phishing is illegal and that MySpace doesnt like it.

"Individuals who try to phish our members are violating the law and are not welcome on MySpace. We have blocked and removed the source of this phishing attempt and restored the profile," the statement reads.

Editors Note: This story was updated to include MySpaces statement.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.