Malicious Spam Exploits MySpace

The spam e-mail purports to be an invitation from a 'Friend' to join MySpace.

by / January 17, 2008

Spammers have launched a new malicious spam campaign that exploits social networking site MySpace, Marshal's TRACE team announced today. The spam is designed to infect unsuspecting e-mail recipients' PCs with malware that converts their computer into a botnet zombie.

The spam e-mail purports to be an invitation from a 'Friend' to join MySpace. The message contains a link when clicked transfers the user to a fake, but authentic looking MySpace Web site. The user is then told they need to update their Adobe Flash Player to use the site properly and should download the latest version.

The download is, in reality, malware which installs more components from the Web to convert the now infected computer into part of a spam botnet. Within minutes the new zombie computer begins sending duplicate messages of the bogus MySpace invitation interspersed with phishing e-mails targeting a major US bank.

"We saw sites such as YouTube targeted in these kinds of malware distribution campaigns last year. It follows that social networking sites would be next on the spammers list of targets to exploit, although this newest campaign arrived a little sooner that expected. This attempt to exploit MySpace is simplistic but effective," said Bradley Anstis, Marshal's VP of Products.

Users are advised to be very wary of unsolicited messages, even from organizations that would normally be known and trusted.

"People post a lot of personal information on these kinds of sites and spammers will start to exploit some of that information in more sophisticated targeted campaigns during 2008. Expect to see more of these kinds of e-mails, maybe even offering a link to your favorite band's latest music video. The spammers will be able to easily gather this kind of information about you from social networking sites that you participate in," said Anstis.