Online criminals are trying to trick MySpace victims into downloading a malicious Trojan Horse by disguising it as a Microsoft update, according to researchers at security vendor McAfee.

The attack is certainly not widespread - McAfee has seen it used on only one MySpace profile - but it does show how sites such as MySpace can be abused by criminals.

Web surfers are presented with what appears to be a pop-up window advising them to download the latest version of Microsoft's Windows Malicious Software Removal Tool, which was released last Tuesday. This software is distributed by Microsoft to help Windows users rid their systems of malware.

In reality, the pop-up window is just part of a larger image that takes up most of the computer screen. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program.

The Trojan, known as TFactory, is a well-known piece of code that has been used by criminals for well over a year, according to Dave Marcus, a security research manager with McAfee.

Hackers were able to launch this attack because they either discovered a flaw in the MySpace code or found a way of taking over user accounts, Marcus said. "Our best guess is [the owner of the one MySpace profile] just got their password and user name phished," he said.

Social-networking sites allow their members to use an array of powerful web programming tools that are increasingly coming under the scrutiny of hackers looking for ways to misuse them.

In November, hackers found a way to serve up web-based attack code from the MySpace profiles of Alicia Keys and a number of other musical artists.

For more security news, reviews and tutorials, see Security Advisor