Understanding the QuickTime/MySpace Phishing Threat

Reports of phishing exploits on MySpace Web pages that host QuickTime files have reached a fevered pitch - unfortunately most of those reports are slim on details. The potential threat is real, but understanding what it is can help you avoid accidentally giving up your personal information.

What It Is
The phishing threat on MySpace takes advantage of QuickTimeis ability to automatically play Web page movies and open URLs. These features are used for legitimate purposes all the time, but they can also be used to unknowingly redirect someone to an alternate Web page or run malicious JavaScript code.

In this case, code is being used to trick users into giving up personal information: A phishing scam.

How It Works
Since this threat is being used on the MySpace social networking Web site, you first need to have a MySpace User Profile of your own. If you are logged into MySpace and view a maliciously crafted QuickTime file on someone elseis MySpace page, JavaScript code can be added to your MySpace page that makes changes to your user profile.

The malicious QuickTime file can modify your MySpace page by adding links to fake MySpace pages that collect user names and passwords. The file can also copy to your account without your interaction.

What You Can Do
Avoid playing QuickTime movies and audio files on MySpace profile pages. Disabling QuickTimeis auto-play feature is a good idea, too. Hereis how:

  • Choose Apple menu > System Preferences to launch System Preferences.
  • Select the QuickTime Preferences Pane.

  • Disable QuickTimeis auto-play feature.
  • Click the Browser tab.
  • Uncheck Play movies automatically.