A malicious QuickTime movie made the rounds acro My ace profiles last weekend, altering user profiles and changing links on their pages to redirect to phishing we ites crafted to look like My ace logi . The movie, CNET reports, actually capitalized on a My ace flaw and QuickTime's legitimate su ort for JavaScript to craft what has been du ed the Quick ace attack. It is also worth noting that while this movie could infect users who simply viewed a compromised page, the attack (as far as we know) only works on IE and Firefox in Windows (in other words: if you're on a Mac, you can resume your regularly scheduled My ace o e ion). Yesterday, My ace's chief security officer Hema hu Nigam contacted A le to request a fix to plug the hole, even though it was a flaw of My ace in combination with a legit feature of QuickTime that caused all the damage. A le is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scru ing their network for compromised profiles.
On a side note: what exactly does one gain from harvesting My ace account logi ? Wouldn't oh, say, credit card numbers be a little more productive? I know there's a lot of kids out there who bank on whether they're in some people's top 8 aces, but I'm still having a hard time seeing how or why phishers would deal in the same currency.
Thanks Daniel
No comments:
Post a Comment