Understanding the QuickTime/MySpace Phishing Threat
by , 7:55 AM EST, December 5th, 2006
Reports of phishing exploits on MySpace Web pages that host QuickTime files have reached a fevered pitch - unfortunately most of those reports are slim on details. The potential threat is real, but understanding what it is can help you avoid accidentally giving up your personal information.
What It Is
The phishing threat on MySpace takes advantage of QuickTime's ability to automatically play Web page movies and open URLs. These features are used for legitimate purposes all the time, but they can also be used to unknowingly redirect someone to an alternate Web page or run malicious JavaScript code.
In this case, code is being used to trick users into giving up personal information: A phishing scam.
How It Works
Since this threat is being used on the MySpace social networking Web site, you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone else's MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.
The malicious QuickTime file can modify your MySpace page by adding links to fake MySpace pages that collect user names and passwords. The file can also copy to your account without your interaction.
What You Can Do
Avoid playing QuickTime movies and audio files on MySpace profile pages. Disabling QuickTime's auto-play feature is a good idea, too. Here's how:
Disable QuickTime's auto-play feature. |
---|