In Brief A worm exploiting Javascript support within Apple's embedded QuickTime player has spread across the MySpace network.

The worm is being used in conjunction with a MySpace vulnerability (http://seclists.org/fulldisclosure/2006/Nov/0275.html) recently reported on a security mailing list to replace legitimate links on a user's MySpace profile with links pointing towards a phishing site. The attack attempts to trick users into handing over MySpace login credentials and to trick users into visiting a pornographic website contaminated with Zango adware, FaceTime Security reports (http://blog.spywareguide.com/2006/12/myspace_phish_attack_leads_use.html).

Once a user's MySpace profile is infected (which happens when they view a malicious embedded QuickTime video) their links are doctored and a copy of the malicious QuickTime video is embedded into the user's site, web security firm WebSense said (http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=708). Other users who visit an infected profile may then pass on the infection.

An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, it adds. ®

Related stories

Facebook poked by XSS flaw (23 May 2008)
http://www.theregister.co.uk/2008/05/23/facebook_xss_flaw/
Compromised legit sites power hack attacks (8 April 2008)
http://www.channelregister.co.uk/2008/04/08/symantec_threat_report/
Secret Crush widget spreads adware on Facebook (4 January 2008)
http://www.theregister.co.uk/2008/01/04/facebook_adware/
Worms 2.0! (27 June 2007)
http://www.theregister.co.uk/2007/06/27/wade_alcorn_metasploit_interview/
Judge pours generous portion of cold water on Zango (6 June 2007)
http://www.theregister.co.uk/2007/06/06/zango_request_denied/
Apple plugs two QuickTime holes (30 May 2007)
http://www.theregister.co.uk/2007/05/30/latest_quicktime_security_patch/
Adware firm sues over adware classification (18 May 2007)
http://www.theregister.co.uk/2007/05/18/zango_sues_pc_tools/
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
http://www.theregister.co.uk/2007/04/25/quicktime_vuln_fells_mac/
MySpace-hosted malware exploits QuickTime flaw (16 March 2007)
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
MySpace hackers avoid extortion rap (27 February 2007)
http://www.theregister.co.uk/2007/02/27/myspace_hack_sentencing/
MySpace slams ad networks over 'scareware' (24 January 2007)
http://www.theregister.co.uk/2007/01/24/myspace_accusation/
MySpace sues Spam King (22 January 2007)
http://www.theregister.co.uk/2007/01/22/myspace_sues_spammer/
Myspace sued for failing to protect minors (18 January 2007)
http://www.theregister.co.uk/2007/01/18/myspace_sued/
Phishing fraudsters get flashy (5 January 2007)
http://www.theregister.co.uk/2007/01/05/phish_flash/
European network will target email and internet scams (4 January 2007)
http://www.theregister.co.uk/2007/01/04/consumer_protection_cooperation_regulation/
Opera adds tech to foil phishers (19 December 2006)
http://www.theregister.co.uk/2006/12/19/opera_bolsters_phishing_filter/
Irish consumers wising up to phishing scams (15 December 2006)
http://www.theregister.co.uk/2006/12/15/irish_consumers_wise_up_to_phishing/
Social sites' insecurity increasingly worrisome (5 December 2006)
http://www.theregister.co.uk/2006/12/05/social_sites_vulnerable/
IE and Firefox blighted by fake login flaw (23 November 2006)
http://www.theregister.co.uk/2006/11/23/fake_login_flaw/
MySpace phishing scam targets music fans (14 October 2006)
http://www.theregister.co.uk/2006/10/14/myspace_phishing_scam/
Phishers aim to hook MySpace users (5 June 2006)
http://www.theregister.co.uk/2006/06/05/myspace_phishing_attack/