Users who follow the link in the email are directed to a website that appears to be a legitimate MySpace profile, Glen Myers, an engineer at Marshal, told SCMagazineUS.com today.
However, the victim is informed they need to update their Adobe Flash Player to properly view content on the page, he said. Installing the update actually downloads malware onto the user's PC and forces the infected machine to join a botnet.
Then, almost immediately, the zombie computer starts sending similar emails, in addition to phishing messages, targeting a major U.S. bank, according to Marshal.
Myers said these types of social engineering attacks are particularly effective because they are attempting to exploit the Web 2.0 mindset.
“The user is willing because they are used to this paradigm where it's someone they know and they posted this content,” he said.
Businesses must either decide if they want to ban access to sites such as MySpace or YouTube, or control it through policies and technology, Myers said. Preferably, organizations should cater to their employee and “create a culture where they want to come to work.”
Web content filtering solutions would help, he said.