Users who follow the link in the email are directed to a website that appears to be a legitimate MySpace profile, Glen Myers, an engineer at Marshal, told SCMagazineUS.com today.
However, the victim is informed they need to update their Adobe Flash Player to properly view content on the page, he said. Installing the update actually downloads malware onto the user's PC and forces the infected machine to join a botnet.
Then, almost immediately, the zombie computer starts sending similar emails, in addition to phishing messages, targeting a major U.S. bank, according to Marshal.
Myers said these types of social engineering attacks are particularly effective because they are attempting to exploit the Web 2.0 mindset.
“The user is willing because they are used to this paradigm where it's someone they know and they posted this content,” he said.
Businesses must either decide if they want to ban access to sites such as MySpace or YouTube, or control it through policies and technology, Myers said. Preferably, organizations should cater to their employee and “create a culture where they want to come to work.”
Web content filtering solutions would help, he said.
MySpace spam seeks botnets
By
Dan Kaplan
on
Jan 18, 2008 4:07PM
Researchers at Marshal, an internet security firm, are tracking a new spam campaign in which recipients receive messages inviting them to join MySpace – but a click on the link leads them to a bogus page containing malware disguised as an Adobe update.
Got a news tip for our journalists? Share it with us anonymously here.
Sponsored Whitepapers
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see