Re: MySpace Shuts Down User Profiles Due To Worm Infection

http://it.slashdot.org/article.pl?sid=06/11/21/2319243&from=rss


I'm not sure if the above article is about the same attack or not.  
The attack in the article is interesting for the following reasons:

1) The fake login box is on a MySpace profile page, so the url really  
is in the MySpace domain.

So any type of security information displayed to user based on the  
domain name would be consistent with what they should see when  
they're on the real MySpace site ... because they are on the real site.

2) At the time the article went out, if you navigated to the profile  
with the fake log in FireFox if you had your username and password in  
their password manager the fields would be automatically filled in.

3) The other two are interesting, but this one is especially neat  
from a usability point of view  ( ... I'm actually on MySpace, so I  
can comment from the standpoint of a user).

Within MySpace there are certain pages you can view without being  
logged-in, and some that require you be logged in before viewing.  
This means users are accustomed to seeing the log-in prompt displayed  
by the phishing profile at random times ... seeing a log-in after  
clicking on any link doesn't trigger any warning message to the user  
because they've been trained that this is normal behavior for MySpace.

In fact, when I was checking out the article, and looking the  
phishing profile, when I saw the message asking me to log-in and  
noticed my credentials were already filled in, I _almost_ submitted  
them because I was talking and clicking around at the same time.  
Luckily I looked back to what I was doing right before I hit enter!








On Dec 6, 2006, at 1:25 PM, Mary Ellen Zurko wrote:

>
> fyi
>
>
> http://www.informationweek.com/security/showArticle.jhtml? 
> articleID=196601356
>
> MySpace Shuts Down User Profiles Due To Worm Infection
> A worm directed victims to a phishing site where they were asked to  
> type in their user name and password, a security firm said.
>
> By Antone Gonsalves,  InformationWeek
> Dec. 4, 2006
> URL: http://www.informationweek.com/story/showArticle.jhtml? 
> articleID=196601356
>
> MySpace over the weekend shutdown hundreds of user profiles that  
> had been infected by a wormthat directed victims to a phishingsite  
> where they were asked to type in their user name and password, a  
> security firm said.
>
> As of Monday, all infected profiles on the popular social network  
> had been taken down, Websense said. Out of the half-dozen phishing  
> sites used in the attack, only one remained operational.
>
> The worm, which was discovered Friday, exploited the  
> Javascriptsupport within Apple Computer's QuickTime player, which  
> can be embedded in MySpace user profiles. The vulnerabilities were  
> used to replace the legitimate links on MySpaceprofiles with links  
> to the phishing site.
>
> People logged into MySpace could have their profiles infected by  
> simply visiting an infected profile. The malicious code was able to  
> find visitors' profiles through cookiesin the victims' browsers,  
> said Dan Hubbard, VP for security research at Websense. Besides  
> changing links, the worm also embedded the infected videoin  
> victims' profiles.
>
> People redirected to a phishing site were asked for their MySpace  
> user name and password. Such information could be useful to gain  
> access to a person's personal social network, making it easier to  
> launch more malicious attacks by posing as the victim in instant  
> messages, Hubbard said.
>
> In October, MySpace had 49 million unique visitors, according to  
> Nielsen/NetRatings. The worm infection isn't the first for the  
> site, which has been attacked in the past by scripts with similar  
> methods of spreading.
>
> In July, a worm spreading through the site embedded JavaScript code  
> into profiles that redirected visitors to a site claiming the U.S.  
> government was behind the 9/11 terrorist attacks.



- Maritza

http://www.cs.columbia.edu/~maritzaj/