MySpace attack uses background images not iframes

Researcher Roger Thompson has found a new way for Web 2.0 to be attacked.

Security researcher Roger Thompson has found a new way to link to malicious servers that doesn't involve iframes (inline frames). An attack in June used cross-site scripting to place malicious iframes on legitimate Web sites. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites.

"The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size...8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site," Thompson wrote on his blog. In particular, he found this trick used on the Alicia Keys page.

"The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra."

Thompson notes that the HTML code links to a site in China that is not indexed on Google or Yahoo. When CNET tried the URL mid-afternoon on Thursday, a message said the URL was down for maintenance.

Thompson has posted a YouTube video of the attack here.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong