MySpace had to take scores of user profiles offline over the weekend.

They'd been infected by a worm that used Apple Computer's QuickTime player to direct victims to a phishing site where they were scammed into keying in user names and passwords, says Websense. .

"This is used in conjunction with a MySpace vulnerability that was announced two weeks ago on the Full-Disclosure mailing list," said Websense on Friday. "The vulnerabilities are being used to replace the legitimate links on the user's MySpace profile with links to a phishing site.

"Once a user's MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site. Any other users who visit this newly-infected profile may have their own profile infected as well."

MySpace's "seemingly random tendency" to expire user sessions or log out users makes it less noticeable to victims that an attack is under way, says a November 16 advisory by the Computer Academic Underground, quoted by the IDG News Service.

MySpace has been a favourite target, says The Register, going on:

"A year ago, a worm constructed using Javascript crawled through the accounts of MySpace, adding one user - "Samy" - to everyone's friends list. The social-networking site has also become popular with online fraudsters that attempt to phish for log-in credentials from unsuspecting users, said Boyd, who has written about various adware threats on his VitalSecurity blog.

Also See:
IDG News Service - Malicious Website / Malicious Code: MySpace XSS QuickTime Worm, December 1, 2006
The Register - Social sites' insecurity increasingly worrisome, December 1, 2006