MySpace.com is currently under attack from what one security analyst has described as an 'amazingly virulent' attack caused by a worm that steals log-in credentials and spreads spam to promote adware. The worm is infecting MySpace profiles with such efficiency that an informal scan of 150 found that close to a third were infected, said Christopher Boyd, security research manager at FaceTime Communications Inc.
MySpace, owned by News Corp, is estimated to have at least 73 million registered users.
The worm works by using a cross-scripting weakness found around two weeks ago in MySpace and a feature within Apple's QuickTime multimedia player.
If an option in the bogus menu is clicked, the user is directed to a fake login page hosted on another server where the person's log-in details are captured. Websense has posted a screenshot of the fake log-in page.
MySpace's "seemingly random tendency" to expire user sessions or log out users makes it less noticeable to victims that an attack is under way, according to a 16 November advisory by the Computer Academic Underground.
Additionally, the worm places an embedded QuickTime movie on the user's profile, which will then repeat the infection process for anyone who visits the profile.
The worm has another malicious function. Once a profile is infected, the worm sends spam to other people in the user's contact list.
Those spam messages contain a file that appears to be a movie but instead is a link to a pornographic site that also hosts adware from Zango, Boyd said. Zango, formerly 180 Solutions, settled last month with the US Federal Trade Commission for $3m (£1.5m) over complaints it didn't properly ask the consent of users before its adware was installed.
While some of the websites hosting the malicious QuickTime movie have been taken down, others have appeared, Boyd said.
The Firefox 2.0 browser was flagging some of the bogus login sites as phishing sites, Boyd said. However, phishing sites can be active for several hours before they are flagged, he said.
MySpace officials in London couldn't immediately comment this morning.