The goal is to both annoy unsuspecting users and financially profit.
The nearly 100 million-member-strong social networking site has made headlines in recent weeks, first with a Macromedia Flash-based worm embedded in victims' profile pages that directed users to a controversial blog. Shortly after, researchers blamed a banner advertisement that exploited the eight-month-old Windows metafile (WMF) vulnerability with incidents of spyware being downloaded on a million unpatched computers.
"This is one of the most popular places on the net, and it's ripe for exploitation," says Ken Dunham, director of the rapid-response team at iDefense, VeriSign's security intelligence arm. "Just like a big city, you're going to find crime."
Myspace also has been victimized by an instant messenger (IM)-based phishing attack that steals usernames and passwords, which could lead to identity theft. "Literally you can put your entire life up on a slab of HTML [on myspace profiles]," says Chris Boyd, director of malware research at FaceTime Security Labs. "There's just so much personal information out there, it's scary."
Experts say that what makes social networking sites such as myspace so desirable is also what makes them a security risk.
In the case of last fall's notorious Samy worm, the first major malware to affect myspace, the creator — using a programming technique known as Asynchronous JavaScript and XML [AJAX] — was able to circumvent the site's strong JavaScript filters and place code in his profile. The infection silently spread like wildfire, adding one million "friends" to the creator's myspace page in several hours.
Experts say that policing sites as expansive as myspace, which only recently hired its first CSO, is difficult. They recommend end-users keep their machines fully patched and avoid opening suspicious files. Application developers, on the other hand, need to build programs that can withstand XSS attacks.