News Factor Network 12/11/2007
Website: http://www.newsfactor.com
Alicia Keys' MySpace page isn't the only profile to be hacked with malware. Some 8,000 band profiles have been hacked in the exact same way -- and many of those profiles are still linked to malware sites, according to security researcher Chris Boyd, who first posted information about the attack on October 31.
MySpace has denied that there is a security problem with the social-networking site, saying that the bands that were hacked fell victim to phishing attacks, which compromised their profile passwords.Writing on his VitalSecurity blog, Boyd said MySpace's explanation defies rational thinking. "This is patently nonsense," Boyd wrote. "What -- an endless stream of bands, record labels, music newspapers, and producers all woke up yesterday and forgot what the real MySpace Web site looks like? Give me a break."
'Bubbling Scum of Malware'
The fact that Keys' profile was rehacked after MySpace announced it had been cleaned belies the notion that phishing is responsible, said Andrew Storms, director of security operations for nCircle. "I tend to agree that there is a yet-to-be-reported problem with MySpace," Storms said. "MySpace has gotten a bad rep as a bubbling scum of malware," he added. "It's where people go to incubate their malware."
In the so-called Alicia Keys hack, malware authors inserted a very large transparent background image on the site, linked to the malware being hosted in China. "It's a classic drive-by attack," Storms said. "The user doesn't even have to click." Simply by mousing over the page, users are inviting the malware onto their system.
"The first attempt is to install it automatically," Storms said. If that doesn't work, the malware presents a prompt, saying that a new codec is needed to play a video. By default, browsers are set to prompt the user before installing software, but they also present an option to download automatically, which many users choose, Storms said.
"You know a site has got problems when the only surefire solution to not be subjected to hack attacks and dubious redirects is to not use it. But that's currently where we are. Well played, MySpace," Boyd wrote on his blog.
MySpace Should Act Soon
Making matters worse, MySpace has simply deleted many affected bands' profiles, including their content and friend information, without so much as a warning, according to press reports. Vaughn Atkinson, guitarist with the British band JetKing, said MySpace deleted the band's profile and has refused to restore it from backup. Many little-known bands are in similar straits, Boyd said.
"So you can imagine how angry a lot of these bands are when they've gone and built that complex network of friends, people who spread the word about their music, promoters, upcoming shows, and a lot more besides and then -- whoops. No more MySpace page."
As this story continues to grow, Storms said, MySpace will have to take action. "MySpace is going to have to come out soon with some more information, he said. "They're going to have to say we've identified the security problem and it's been fixed or we've reset all these profiles -- or both."
While to some degree bands "get what they pay for" -- nothing, in this case -- MySpace should treat all users the same, Storms added. "If this kind of hacking continues, they're going to have to offer some sort of user-initiated rollback," he said.
No comments:
Post a Comment