There appears to be a new myspace worm propagating on their pages. The worm
infects a user's profile page and then attempts to phish for usernames
(emails) and passwords. The page looks almost identical to a regular myspace
login and the url looks like a valid myspace page. However, the form
attempts to redirect to another site. The form is miscoded though and does
not execute correctly.
An example page is: www.myspace.com/netty567
The regular divs seem to be hidden by a "hidden" flag.
If you attempt to enter your password, you can see the paramaters in the get
url. Then the page errors out.
I'm unsure of the means of propagation, however it appears to be:
You can easily pull the code from the src url. I haven't fully analyzed it
yet, but I assume that's how the worm is propagating.
Example of the form trying to grab the passwords:
table { visibility:hidden;}
div { visibility:hidden; }
div table { visibility:visible!important; }
.Main { visibility:visible!important; position:absolute; left:0px;
top:125px; width:100%; background-color:e5e5e5; }
.show { visibility:visible!important; }
