Over a million MySpace users have been exposed to spyware that exploits a Windows vulnerability through a banner ad on the site, the BBC reported on Friday.

Those using Internet Explorer that has not been patched against the Windows Meta File (WMF) vulnerability could be exposed to spyware and adware.

The vulnerability in the way WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mails or instant messages, or via Web sites.

Reports suggest the advert has been running for approximately a week.

Security firm iDefense detected computer servers being used to log how many times adware was installed from the advert, according to the Washington Post.

Over one million installations of the adware were logged before the servers were shut down.

“This is a criminal act,” said Hemanshu Nigam, MySpace chief security officer, according to reports. “This ad is being delivered by ad networks who distribute these ads to over a thousand sites across the Internet in addition to ours.”

“We are working to have these ad networks remove this ad so that they do not appear on our site,” Nigam said.

As many as one million computers may have been infected with adware through an advertisement running on MySpace and other websites. The DeckOutYourDeck.com advertisement subversively installed 5 adware programs, and reportedly relayed Internet activities to a website in Turkey.

MySpace has since started to remove the ads, which effected PCs running Firefox versions earlier than 1.5 and Windows users without a recent security patch for image files. There is no word about a removal tool as yet.

Just last week MySpace was hit by a Flash worm. The sad truth is where there is a volume of people, there will be malicious folks looking for ways to exploit their computers.

MySpace is experiencing technical difficulties which have forced the social networking site off the internet.

The site has been offline since 2:40am on 24 July. A message posted on the site blames the outage on a power cut at its data centre.

“We are in the process of fixing it right now, so sit tight. Hopefully we’ll be back online within the hour,” the message says. “It’s 6:40pm PST now. Wanna place a bet?” it asks.

MySpace has 95 million members and accounted for 4.5 per cent of all US internet visits in the first week of July, according to figures from web monitoring firm Hitwise.
The news about the site being down spread quickly among bloggers.

“It is hard to believe that a service this large could just have one data centre. Have they not heard of redundancy? I am pretty sure there is more to the story. One can only imagine how millions of MySpace users feel right now,” Om Malik wrote at GigaOM.

Another user on Live Journal expressed dismay that the site was unavailable. “If Tom [Anderson, founder of MySpace] was here, I’d deck him in the face. This has turned out to be one of the worst days of my life.”

To hijack someone’s photograph…

“My pictures my friends”

Meaning a devious web master can quickly become your impostor.

“I never thought it would happen to an average normal girl like me.”

Katie got a call from a friend who stumbled across a stranger’s Myspace page… But who she saw was no stranger… It was Katie… Someone had stolen her photos and started using them as their own.

“I nearly feel over that that was my main picture and they were using it as their main picture.”

“You just can’t believe it that someone has gone that far to do something like that.”

Katie’s brother Tim started to investigate and what he found is nothing short of disturbing…

Grant: “you’re big brother, what did you think?”

“It was just really shocking i couldn’t believe it. It’s my sister and next thing you know some guy, I know it was a guy was using her pictures.”

“I think it was a guy they way the profile was made it just doesn’t seem like a girl would put it together.”

They believe the impostor was actually trying to lure in other young men… With the help of MySpaceScams.com ; Myspace quickly shut the bogus site down. Leaving Katie issuing a warning about the new face of identity theft.

“Just be careful you never know who is going to go after your pictures or you or your identity.”

A blog entry on the ChaseandSam.com website noted the MySpace issue, where an embedded Flash file caused problems for MySpace users.

Signed in users on MySpace who visit a profile that already has the malicious code infecting it will in turn have their profiles infected. Everyone who arrives at an infected page will be redirected to another blog containing a rant about the 9/11 attacks.

The ChaseandSam site listed a safe link to the Flash file exploiting the MySpace code. Since MySpace allows its users to embed code to display content, it was a trivial matter for the attacker to place the code on a profile and wait for people to stumble across it.

While the embedding feature makes it easy for MySpace users to share audio and video content, it appears the site could be more rigorous in assessing embedded code placed on profiles.

Kinematic, a user on the Digg news site, posted an assessment of the code used by the attacker. A Flash file performing the redirect would be encountered first.

Then the landing page would fire up another Flash file, retrievecookie.swf. The ActionScript in that file would then pull up a blog post from elsewhere on MySpace, and evaluate that code.

In doing so, the attack would grab the visitor’s MySpace token and hash code. Kinematic commented that the hash code is supposed to be a security measure. Like the token, the hash code is also in the URL, a helpful condition for the attacker’s code.

After that, the visitor’s profile gets modified, and the next person to visit the profile while logged in to MySpace likewise gets infected. Fortunately, the code can be removed from the profile. The post on the ChaseandSam website shows how to find the offending code in the profile to get rid of it.

Be careful, MySpacers. That video you want to watch on your friend’s profile may contain spyware.

One such video, called “Friends play a hilarious practical joke,” has been spreading across MySpace.

With just a few clicks agreeing to download the “Zango Search Assistant,” you will begin to see alot of  of pop-up ads forcing your computer to slow down and become cluttered with spyware.

The adware, produced by Bellevue, Wash.-based Zango, presents you with a pop-up window of fine print explaining the end user license agreement (EULA). Once you click, though, the pop-ups begin.

Your clicks will download a “Zango Search Assistant,” which, according to tiny text in the pop-up, “will show you a limited number of ads that pop up on your screen in a separate browser.”

Zango makes money by partnering with webmasters who post videos on their sites.

  After a security researcher said Monday that MySpace users were spreading adware through  the social networking service to ring up ad fees from Zango, the Bellevue, Wash. marketing company admitted one of its own developers had set up the MySpace profiles.

Zango, however, said the developer was acting without approval and in ignorance of the company’s “hands-off” policy regarding MySpace.

Chris Boyd, the director of malware research for security vendor FaceTime, said he found a pair of MySpace profiles tagged “Zango,” the new name for the controversial adware maker 180solutions. And each profile pushed adware. One of the profiles used video to entice MySpace visitors to download Zango Assistant and Search Toolbar, which users had to accept if they wanted to view the clips.

“Just who is pimping these things?” Boyd asked, then pointed out Myspace Graphics Help, a site that included copy-and-paste code to add Zango-distributed videos; the code, says the Myspace Graphics site, can be added to MySpace profiles or comments. Anyone who clicks on a MySpace-placed video created by such code, of course, must download Zango’s adware to watch the clip.

The profiles were a mistake, countered a Zango spokesman Monday. According to Zango’s Steve Stratz, the two spotted by Boyd were created by a company developer based in its Montreal office. (In April 2005, Zango, formerly 180solutions, acquired Montreal-based CDT, at that time one of its largest adware-distributing partners.)

“Those two test accounts were actually created by one of our developers who was exploring possible opportunities, but he didn’t realize it was Zango business practice not to target MySpace,” said Stratz. “He should not have been doing this, and we want to tell MySpace that we didn’t mean to target them.” The developer, said Stratz, would soon be deleting the profiles.

Boyd took Zango to task nonetheless.

“This is a relatively new viral approach,” said Boyd. “We’ve seen spam and porn bots on MySpace before, but not adware from a quote-legitimate-unquote adware company,” he said.

Boyd’s contention was that unscrupulous Zango partners are getting MySpace users — many of whom are teenagers — to do their dirty work by spreading the necessary ad-tracking and ad-displaying software.

“Pasting the code for the [video] into the MySpace profile and having it autoplay when you visit the page is enough to have the [Zango] license prompt appear,” said Boyd. “Easy as pie.”

But although a Zango EULA (end-users license agreement) pops up on coded MySpace profiles, it’s too easy for users to assume the dialog’s from MySpace, not an adware vendor, argued Boyd. He found more than two dozen sites similar to Myspace Graphics and “I didn’t see one actually mention the fact that in return for these [video clips], you’d be pimping Zango.”

Zango, however, countered that its license agreement “could not be any clearer” and that it would be obvious to anyone that the download was not originating with MySpace.

Zango, which until early June was called 180solutions, has spent months cleaning up its distribution network — in the past it blamed “rogue” distributors for installing its software without users’ permission — and to be a better Internet citizen.

Then Zango’s vice president of business development, York Baur, said that “we’ve fixed [those] problems to the extent they can be fixed. This [business] model works, and we’re very proud of the model we’ve built.”

Stan Monlux, senior director of business development, weighed in Monday on the MySpace issue by denying that the network’s accounts were allowed to register as partners — and thus receive payments — and arguing that it wasn’t up to Zango to police the sharing of its content.

It appears that MySpace finally tightened up security and no longer allows bulletin posts from outside of the MySpace domain. A great move if you ask us, this will keep alot of unwanted SPAM bulletiins created from unknowing MySpace users.

Sexual predators aren’t the only ones drawn to social networking sites such as Rupert Murdoch’s MySpace.com.
George W. Knox, director of the National Gang Crime Research Center, is quoted by the Associated Press as saying as saying he’s trained “hundreds of police officials” on, “how to cull intelligence on gang membership, rivalries, territory and lingo from these Web pages” and Chicago police arrested a teenager who’d, “allegedly sprayed his gang nickname on a church by tracing the moniker to his Myspace.com account.
“His online profile included his address, photo and real name.”
And earlier this month, “two teens charged with beating a boy into a coma could be tried as adults after prosecutors showed photographs of the two from Myspace.com,” says AP. “In the images, they flashed the hand signs of a local gang.”
Notorious street gangs have gone online, “showcasing illegal exploits, making threats, and honoring killed and jailed members on digital turf,” says AP.
They’re posting potentially incriminating photos of members holding guns, messages taunting other gangs and boasts of illegal exploits on personal Web sites and social networking sites, it states.
And XV3Gang isn’t alone. Crips, Bloods, MS-13 and other gangs are online, says the AP story, going on, “Knox and others fear gangs are using the Internet to recruit new members, who can be influenced by the secret handshakes, clothing and slang of gang cultures.”
Meanwhile, “www.XV3Gang.com is fully copyrighted,” says the 18th Street site.

Q: I’ve read and heard many stories about young people putting information on MySpace.com. What I want to know is: How would a parent go about getting the information that a teenager puts on that site removed? Don’t tell me to use parental controls because that is not my question.

A: How old is the teen?

If he (or she) is under 14, he’s lied about his age and inflated it to open an account on the social-networking Web site, which, as you almost certainly know, is immensely popular among teens.

In that case, you can contact MySpace and, after investigating the situation, it will delete the teen’s account. You can e-mail deleteaccount@myspace.com or customercare@myspace.com.

Meanwhile, if your child is 14 or 15 (and if his age is correctly listed with MySpace), his MySpace pages — including whatever personal information he’s posted — can be seen only by people on his friends list.

And any MySpace user of any age can make their profiles available only to their friends.

But if he’s 14 or older, you may be on your own if you want some or all of his information deleted from the Web site. In this case, a honeyed approach may serve better than a vinegary one because you’re probably going to have to work with your child.

Sure, you can delete his information or MySpace account yourself — if you know his e-mail address and MySpace password.

But if your child continues to have access to the Internet, he may simply create another account with another user name.

Parent advocates say it might be better to keep communication open and walls down by talking with your child about your concerns as well as his feelings about being on MySpace.

It’d be even better if you could talk with your child about such things before he ever got on MySpace in the first place.

But once he’s on the site — or on the Internet, in general — advocates say you should definitely monitor his activities there.

For information on monitoring software and tips on how to deal with your teen’s activities online, go to MySpace.com and click on “safety tips,” then on “tips for parents.”