Having already gotten access to hundreds of MySpace accounts trough phishing, hackers have been using compromised MySpace.com accounts to attack innocent Web surfers, security experts said.
Hackers succeeded to overlay fake navigation bars on the top of MySpace.com compromised user profile pages that, when clicked, lead to malicious computers that attempt to infect the victim's computer. The attack uses several known Internet Explorer flaws that have been fixed, so users who have installed the latest Microsoft patches are not at risk, security experts said.
The code was installed on "maybe a few dozen," MySpace.com pages, most of which have been removed by administrators at the social-networking site, Ullrich said.
Two components comprise the attack. It attempts to install malicious botnet software on victims' computers, and it also uses these infected computers to try to steal MySpace credentials in a phishing attack.
Computers that are compromised by the attack become infected with malicious botnet software known as "flux bot," which makes them unwitting participants in the phishing scam. After the malicious Web site attempts to install the flux bot code, it then presents victims with a fake MySpace.com log-in page, which tries to extract their MySpace.com user name and password.
