"The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms -- ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites.

Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms discovered earlier this month on MySpace are more about stealing data. Example: the XSS exploit that spreads as a worm and tries to force spyware onto a user's machine for nefarious purposes. That attack is a QuickTime movie that is "backdoored" with an XSS exploit, which changes a user's profile to include links to a porn site that hosts spyware. Once a user goes to that site, he or she is infected with the spyware.

Another variant of the QuickTime exploit poses as MySpace and phishes for usernames and passwords.

These attacks are the latest in a series of exploits hitting the wildly popular MySpace over the past few months, first with the Samy worm, and then with a major phishing attack in October, along with publicly disclosed XSS fragmentation vulnerabilities on the popular hangout site." - Darkreading

Article Link: http://www.darkreading.com/document.asp?doc_id=112687&f_src=darkreading_section_296