Archive for June 2008
Dangerous MySpace Spam
Posted by: Tom
I have been doing lots of research over the last few months on online social networking sites to prepare for an upcoming talk that I am going to be giving on the latest threats to social networks...in particular MySpace, Facebook and LinkedIn.
Tonight I received new friend request from someone named "Elysabeth" in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:
Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.
EDIT: I didn't edit out the MySpace profile URL in the picture so don't hit up the URL and click on anything if you don't want to risk being infected!
Notice anything strange...like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file....some nice malware for you to install. Enjoy! (only on a Windows box.... :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability...the real owner probably has no clue.
On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.
One more update...Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.
Tonight I received new friend request from someone named "Elysabeth" in my email. Clicking on the link in the email takes you to the legitimate MySpace Friend Request Manager page which shows the below request:
Clicking on the picture takes you to the profile of Elysabeth. Check out the picture of what the profile looks like now after clicking on the profile.
EDIT: I didn't edit out the MySpace profile URL in the picture so don't hit up the URL and click on anything if you don't want to risk being infected!
Notice anything strange...like the Windows Update notification pop up? Looks pretty real huh? Clicking anywhere on the first half of the page pops up the dialog you see on the right side to download a .exe file....some nice malware for you to install. Enjoy! (only on a Windows box.... :-) ) Interesting to note that by scrolling down the page past the malware banner it looks like a legitimate MySpace profile. My guess is that this profile was hijacked either through XSS or some other third-party application vulnerability...the real owner probably has no clue.
On a related note, I just read an article on how Paris Hilton and Lindsay Lohan just had their private photos downloaded because of a flaw in a Yahoo/MySpace widget. Looks like Yahoo/MySpace fixed this flaw pretty quickly tonight but it goes to show that third-party applications and widgets are another popular attack vector.
One more update...Mediaphyter posted a link tonight on the 10 Social Networking Security Trends To Watch. A must read on the latest online social networking threats.