Online criminals are using a hacked MySpace profile, to trick victims into downloading a malicious Trojan Horse program by disguising it as a Microsoft update, according to researchers at security vendor McAfee.
The attack is not yet widespread - McAfee has seen it used on only one MySpace profile - but it does show how sites such as MySpace can be abused by criminals.
Web surfers are presented with what appears to be a popup window advising them to download the latest version of Microsoft's Windows Malicious Software Removal Tool, which was just releases last Tuesday. This software is distributed by Microsoft to help Windows users rid their systems of malware.
In reality, the popup window is just part of a larger image that takes up most of the computer screen. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program.
The Trojan, known as TFactory, is a well-known piece of code that has been used by criminals for well over a year, according to Dave Marcus, a security research manager with McAfee.
Hackers were able to launch this attack because they either discovered a flaw in the MySpace code or found a way of taking over user accounts, Marcus said. "Our best guess is [the owner of the one MySpace profile] just got their password and user name phished," he said.
Social networking sites allow their members to use an array of powerful Web programming tools that are increasingly coming under the scrutiny of hackers looking for ways to misuse them.
In November, hackers found a way to serve up Web-based attack code from the MySpace profiles of Alicia Keys and a number of other musical artists.