Security researcher Roger Thompson has found a new way to link to malicious servers that doesn't involve iframes (inline frames). This time, popular MySpace artist sites are the target.
"The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size...8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site," Thompson wrote on his blog. In particular, he found this trick used on the Alicia Keys MySpace.com page (the code is still as of writing embedded in the site).
The site then presents a fake codec that it tempts the user to download, similar to the recent Mac exploit that uses the same trick.
"The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra."
Thompson notes that the HTML code links to a site in China that is not indexed on Google or Yahoo. As of writing, the site was reported as "down for maintenance".
Thompson has posted a YouTube video of the attack here.
