MySpace spam seeks botnets

Researchers at Marshal, an internet security firm, are tracking a new spam campaign in which recipients receive messages inviting them to join MySpace – but a click on the link leads them to a bogus page containing malware disguised as an Adobe update.

Users who follow the link in the email are directed to a website that appears to be a legitimate MySpace profile, Glen Myers, an engineer at Marshal, told today.

However, the victim is informed they need to update their Adobe Flash Player to properly view content on the page, he said. Installing the update actually downloads malware onto the user's PC and forces the infected machine to join a botnet.

Then, almost immediately, the zombie computer starts sending similar emails, in addition to phishing messages, targeting a major U.S. bank, according to Marshal.

Myers said these types of social engineering attacks are particularly effective because they are attempting to exploit the Web 2.0 mindset.

“The user is willing because they are used to this paradigm where it's someone they know and they posted this content,” he said.

Businesses must either decide if they want to ban access to sites such as MySpace or YouTube, or control it through policies and technology, Myers said. Preferably, organizations should cater to their employee and “create a culture where they want to come to work.”

Web content filtering solutions would help, he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.