Websense Security Labs has started seeing more spam bots on MySpace using increasingly clever techniques. Websense Labs reported a MySpace profile hack (New MySpace Link Hack in Use) previously. A new twist has appeared in these socially-engineered profile tricks that could be used for malicious purposes.

The profiles are created in such a way that they hide all of the real MySpace profile areas. The profile displays an image served from another location as an input type=image. This old trick has been used in the Web security space to perform cross-domain attacks. In Firefox, when you mouse over the image, the URL that will be visited if the image is clicked is not displayed in the status bar at the bottom, as most links are.

The profile is socially engineered to entice the user into clicking several areas of the image. For example, one area that would normally be safe to click is "Send Message". This technique can easily be adapted for malicious purposes, such as drive-by installers, MySpace Phishing, and so forth.

MySpace has a built-in security feature to catch form submissions to other sites. However, it seems to be reliant on a “Submit” button being present to trigger the form. Having the warning there is a good, proactive security measure, but if the warning is bypassed, then it does no good.

Screenshot of Warning:





Security Researcher: Ali Mesdaq

What are your thoughts? We’d like to hear from you.

Email us at: blog_feedback |at| websense.com