Here’s another reason for IT shops to block employees from visiting MySpace pages on company machines:
Roger Thompson, chief technology officer at Exploit Prevention Labs, keeps discovering MySpace pages laced with malicious content.
“We keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) DNS-changers,” he writes in the Exploit Prevention Labs blog.
The latest example of malicious behavior is the hacking of the Alicia Keys MySpace page. He says rather than using an iframe for an automatic embed, as the bad guys usually do, they’ve added some sort of image background href, with a large size — 8000 by 1000 pixels — with the effect that a click that slightly misses a control or link on the page ends up going to the exploit site.
“The fact that this site is media-rich, with lots of sound and videos means that the fake Codec trick will be much more effective,” he says. “The click-er is probably expecting to see a or hear a song, and is quite likely to think he genuinely needs to install something extra.”
This is the kind of trouble Thompson warned about when I interviewed him a couple weeks ago.
On the surface, this doesn’t look like a problem for corporate IT environments. But it is.
Employees are increasingly using their work computers to browse Web pages of personal interest, and MySpace is a prime example. If they’re visiting a rigged MySpace page, chances are that work machine is going to be whacked.