Thompson, chief technology officer at Atlanta, Ga.-based Exploit Prevention Labs, discovered that when a visitor loads the infected MySpace pages, they're first hit by an exploit that installs malware in the background if the user is running an unpatched Windows machine.
Next, the attackers use a fake codec to lure victims into manually launching an exploit. This will infect a fully patched machine because the social engineering lure ensures that victim willingly installs the malicious software.
"The bad guys are using a creative hack we haven't seen before: The HTML in the page contains some sort of image map, which basically makes it so you can click on anything over a wide area on the page and your click is directed to the malicious hyperlink. We tested it and even the ads were affected," Thompson said.
"The fact that this site is media-rich, with lots of sound and videos means that the fake codec trick will be much more effective. The [surfer] is probably expecting to see a video, or hear a song, and is quite likely to think he genuinely needs to install something extra, Thompson added.