"The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated
worms — ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites.
Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms
discovered earlier this month on MySpace are more about stealing data. Example: the XSS exploit that spreads as a worm
and tries to force spyware onto a user's machine for nefarious purposes. That attack is a QuickTime movie that is
"backdoored" with an XSS exploit,
which changes a user's profile to include links to a porn site that hosts spyware. Once a user goes to that site, he or she
is infected with the spyware.
Another variant of the QuickTime exploit poses as MySpace and phishes for usernames and passwords.
These attacks are the latest in a series of exploits hitting the wildly
popular MySpace over the past few months, first with the Samy worm, and
then with a major phishing attack in October, along with publicly
disclosed XSS fragmentation vulnerabilities on
the popular hangout site." – Darkreading
Article Link: http://www.darkreading.com/document.asp?doc_id=112687&f_src=darkreading_section_296
