MySpace hook leads to phishing

Yesterday we noticed several emails appearing in our spam traps purporting to be an invitation from a ‘Friend’ to join MySpace:

Following the link takes you to a fake MySpace page, where, lo and behold, a warning is posted advising the user to update their flash player:

Clicking on the link will prompt the user to download a file called “install_flash_player.exe”, which, as usual, turns out to be malware that downloads more components from the web.  In this case, the infected computer turns into a spambot that spews out more copies of the bogus MySpace invitation emails.  However, interspersed with these, are also phishing emails:

The style of this attack is almost identical to the fake YouTube emails we reported on in November 2007.  Both use popular social networking sites as the target, both use simple social engineering tricks, and even the downloaded file has the same name.

These days, social networking sites such as MySpace are becoming big targets. As always, be extremely wary of following links in unsolicited email.