Researchers at iDefense this week identified a banner advertisement on MySpace.com that uses a Windows security vulnerability to download spyware onto an unpatched PC, another sign that cybercriminals quickly are catching on to the social networking site's massive popularity.
"This is a hot spot for people," said Ken Dunham, director of Rapid Response at VeriSign iDefense, a Virginia-based security intelligence provider. "MySpace is like a large city that will have its criminal element."
This particular attack targets users of MySpace and other sites that contain a banner advertisement for DeckOutYourDeck.com, Dunham said. The ad attempts to exploit the infamous Windows metafile (WMF) vulnerability against the victim's web browser, and if it is vulnerable, the code will download a trojan that silently installs spyware from the PurityScan/ClickSpring family.
"It's going to start displaying various pop-up (ads) and it's going to start tracing your privacy information and potentially start stealing that," Dunham said.
The WMF vulnerability gained notoriety earlier this year when Microsoft hurried an out-of-cycle fix for the flaw, which took advantage of an image file format to execute malicious code.
"If you're not patched, you could suffer a silent attack," Dunham said. "All you're doing is browsing to a website. The likelihood that you're noticing the attack is very low."
iDefense said roughly a million people have fallen victim to the malicious installation, which phones home to a Russian language server that keeps tally.
MySpace, one of the world's most trafficked websites with more than 90 million members, increasingly is becoming an attack vector. Last week, a Flash-based worm tried to cajole users to visit a blog discussing Sept. 11, 2001 conspiracy theories.
The site, owned by Fox Interactive Media, also has been the target of instant messenger and other malware attacks. It recently hired its first CSO to improve user's safety.