The threat of identiity theft continues to dog MySpace users, with the latest attack coming via an innocent-looking music video clip. 

Vinoo Thomas, writing on the McAfee Avert Labs blog, says that MySpace is rapidly becoming an unhealthy breeding ground for the scum of the internet luring surfers to sexually explicit web sites or playing with the trust of users to obtain personal information that could lead to identity theft.
"With the sophistication of attacks used by malware these days on the rise, the bad guys are continuously looking for newer infection vectors. Every new attack is tailored to the attacker’s needs in terms of choosing who the targets will be, the social engineering techniques employed to lure the victim and as well as which exploit would be used."
The latest target is unsuspecting fans of the French rock band Mamasaid who, upon visiting a MySpace account promoting the music group, get a trojan JS/SpaceStalk installed on their computers via a known insecure feature in QuickTime called HREF Tracks.
"The technique used here does not rely on vulnerability but rather on a feature present in the QuickTime player that allows for links to be opened automatically when the movie is run," says Thomas. " This link could be misused to point to malicious websites hosting exploit code."
The QuickTime file automatically executes JavaScript script hosted on an external website when the movie is played.
Once executed it transmits personal information of the visiting MySpace user to the attacker. As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.
"Very few people hesitate to view a movie file," says Thomas. "And, given that QuickTime is a popular application used on the web, the return on investment for malware authors make it an attractive target using it as an infection vector."