The fast-spreading attack took hold over the weekend and could be affecting as many as one in three of the social networking site's more than 130 million users, said Chris Boyd, director of malware research at FaceTime Communications.
"It's quite a nasty one," he told SCMagazine.com. "It's all over the place. You've just got to visit a (profile) page with a QuickTime movie on it. It is tempting to advise people to just not use MySpace until they fix it. There's an extremely high probability you will get hijacked by it."
Malicious attackers steal these credentials to send out spam to "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," Boyd said.
Should users click on the screenshot, they will be directed to pornographic site called "Vidchicks" that contains Zango adware, he said. The site's webmaster profits each time someone installs the adware.
"Obviously the reason behind this attack is financial," Boyd said. "They've gone through a lot of time and effort to spam these things across the MySpace network to drive (victims) to this site."
MySpace officials could not be reached today to comment on the attack.
But Boyd said this functionality opens the door for the attack. An Apple spokeswoman did not return a telephone call seeking comment.
Nigam said users also should be weary of logging into a spoofed MySpace site. Members should always check the address bar to ensure they are inserting their credentials on the real login page.
New Apple QuickTime worm rapidly spreading through MySpace
By Dan Kaplan on Dec 5, 2006 12:20PM