Multiple MySpace pages, including the official page of popular R&B singer Alicia Keys, have been hacked and are spewing both socially engineered attacks and behind-the-scenes drive-by exploits, a security researcher said.
Although it's unclear how the MySpace pages were originally compromised, they're now dangerous places to visit, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. Among the attacks being served by Keys' page are Trojans that pose as new video codecs; when installed, they actually change the computer's Domain Name System settings to redirect future searches to unauthorized sites -- sometimes porn pages, other times URLs selling bogus security software.
Users wary enough to avoid those attacks may still be nailed, said Thompson, who described how unpatched PCs vulnerable to existing exploits are also infected. "They're using an exploit to install software in the background," he said in a video demonstration of the attack posted on his blog. "So they get you one way or the other."
Talking via instant messaging, Thompson spelled out the attackers' unique tactics. Rather than embed the script that redirects the user to the exploit site in an almost-invisible single-pixel IFRAME, this attack uses a huge 8,000-by-1,000-pixel background "href" tag. "Click anywhere but right on top of a control or link on [Keys'] page, and you end up at the exploit site," said Thompson.
Because Keys' page, like many on MySpace, sports lots of audio and video content, a dialog box requesting that the user install a new ActiveX control or a codec wouldn't be suspicious, Thompson added. "You're already expecting a video, aren't you?"
The codec angle, said Thompson, may point to the hackers who recently expanded their attacks from Windows-only to include Trojans targeting Mac owners. The attackers controlling Keys' page include code that "looks to see what the user agent is, and if it's Safari, they serve up a Mac Trojan," said Thompson.
It was only a week ago that several security vendors, Mac-specific Intego first among them, reported the appearance of a codec Trojan written for Mac OS X.
The exploit site, which carried a Chinese domain, was offline as of 8:00 p.m. EST. Keys' MySpace page had been cleansed of the attack script about an hour prior. According to Thompson, the Keys' page may have been infected as long as five days ago, when users of Exploit Prevention Labs' LinkScanner Pro exploit blocker began reporting that the software was warning of dangerous content on the MySpace site.
Messages left with MySpace seeking comment were not returned.