MySpace Hacked Using Simple HTML Exploit – Alicia Keys and Others Targeted

[youtube _VipylmHnII]

Don’t open Alicia Keys Space.

It appears a new hack and exploit has appeared on MySpace – Alicia Keys profile is affected along with a variety of others to-date. The hack and exploit is pretty simple but very “deadly”. Basically a user puts a link to the infected ste with just a simple href tag (no script tag) using some css to position the element anywhere that an element doesn’t already live. So if you mis-click, you get sent to the infected site and it prompts you to install a codec to listen to Alicia’s music. Of course it’s not a codec, it’s some sort of virus.

Roger Thompson from Exploit Prevention Labs sent over the following information and video.

Roger tells us it’s MySpace that has been hacked, as opposed to the bad guys getting the usernames and passwords of a few bands (other bands hit include “Greements of Fortune,” a French funk band, “Dykeenies,” a rock band from Glasgow, and several others.

When a visitor visits the infected page, they’re first hit by an exploit (which installs malware in the background if they’re not fully patched against the latest security vulnerabilities), and next they’re presented with a Fake Codec which tells them they need to install a codec to view the video. So even if they’re patched, they can fallvictim to the exploit.

Perhaps most interesting, the bad guys are using a creative hack we haven’t seen before: The HTML in the page contains some sort of image map, which basically makes it so you can click on anything over a wide area on the page and your click is directed to the malicious hyperlink. We tested it and even the ads were affected.

Here is a video overview of the exploit. PLEASE DO NOT CLICK THE LINK ON ALICIA’S PAGE.

[via CenterNetworks]

Share your love

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *