MySpace Hacks Predate Recent Hijack of Alicia Keys Site

— -- The widely reported problems with pop singer Alicia Keys' MySpace profile have been cropping up on the social networking site for the past ten days and are likely to continue, a security expert said Friday.

Chris Boyd, a researcher at FaceTime Communications, blogged about the problem on Oct. 31 and has tracked a number of musicians' MySpace profiles that have been compromised since then.

As with the Alicia Keys hack, which was discovered Thursday by Exploit Prevention Labs, these pages try to install malicious software on the victim's PC. If the victim's software is not fully patched, this can happen silently, but if that fails, the sites will tell the victim that he needs to install a video codec. That file is actually malware, researchers say.

In all cases, hackers used the same background, the same Web code and the same malicious payload. "It's the exact same hijack," Boyd said via instant message.

But one difference has been the amount of pain experienced by the bands after they were hacked. While the Alicia Keys site was repaired and up and running on Thursday -- the same day that the problem was publicly reported -- smaller bands that have fallen victim to the hackers have had to restart their MySpace profiles from scratch.

Vaughn Atkinson, guitarist with the band JetKing, said he spent a few days trying to get MySpace administrators to restore his band's page from backup, without success. "It's messed with a lot of our networking with promoters and venues," he said in an interview. "It's important to a band's credibility ... if you have all that data wiped out, you are kind of back to square one in the eyes of people."

Nobody knows exactly how the MySpace pages were compromised. MySpace representatives suggested that victims may have accidentally handed over credentials after falling victim to phishing e-mails.

Exploit Prevention Labs Chief Technology Officer Roger Thompson believes phishing may be the cause of the compromise, but Boyd said that there may be an underlying bug in the MySpace site design. "They may be able to remove the code, but there's no indication from MySpace that the flaw allowing the hackers to hijack the pages has been fixed," Boyd said.

MySpace offers users an incredibly rich level of customization on their profile sites, but those capabilities can sometimes be misused by attackers, security experts say. That's what happened in 2005 when Samy Kamkar discovered how to sneak JavaScript code onto his MySpace profile, creating the social network's first-ever worm.

The fact that Keys' site was up and running so quickly is going to "create a lot of bad feelings" from bands such as JetKing that have been unable to restore their profiles, Boyd said.

Vaughn said he and other musicians were unhappy that MySpace had been unable to restore their profiles. "Everyone's resigned themselves to the fact that MySpace has done absolutely nothing," he said. "I'm sure if we were a big band like Coldplay or Michael Jackson, they'd have done it in five minutes."