It's easy to see how visitors to Alicia Keys' MySpace page could have accidentally clicked on the wrong spot last week and gotten whisked off to a Chinese website that tried to install malicious code onto their computers. The buttons to play Keys' songs were clearly marked and clean but almost every other image on the site, including the full-sized background photo of the diva herself, had been hacked in such a way that merely clicking on it could infect visitors' computers with malware. So if you happened to click on Keys' bare midriff on Nov. 8, you would have been siphoned to a murky corner of cyberspace: a site that attempted to install a program that could trick you into buying fake anti-virus software, record the credit card information you used to buy it, and secretly log every other user name and password you typed into your computer as well.
MySpace identified the problem last Thursday and within 24 hours had scrubbed Keys' page of all bogus links, according to MySpace's chief security officer, Hemanshu Nigam. "Her profile was phished," says Nigam, "which means that whoever is managing her site probably input their user name and password where they shouldn't have," possibly by responding to a scam e-mail, which would have enabled the hackers to install false links on the diva's page. The clean-up happened just in time for the Nov. 13 release of her new album, As I Am, but Keys' wasn't the only MySpace page that got hacked: Some two dozen other bands appear to have suffered the same security breach, including the indie groups Jet King, Wee Red Bar and Seagull Strange in the United Kingdom, according to the blog VitalSecurity.org. "We've been covering these band hacks since October 31," says VitalSecurity blogger and Internet security expert Christopher Boyd. MySpace says it has discovered and removed links to the same Chinese site embedded on up to 50 other pages, but declined to identify which pages had been infected.
The recent spate of attacks is just a piece of a larger problem. Scams and security breaches have been plaguing MySpace for at least two years, and Internet sleuths say social-networking sites have become the destination of choice for online swindlers. "The bad guys really are focusing on these social sites because of the trust people put in their friends' list," says Internet analyst John Pescatore of Gartner. "They don't leap up and sell you penis enlargement or lottery tickets. They capture passwords." New generation viruses are indeed much more treacherous than in the past; rather than merely hobbling your computer, so-called Trojans are designed to access financial information via passwords you store online or by getting you to buy bogus security products.
Though MySpace chalks up the Keys incident to a straightforward case of phishing, some independent security experts say that may not be the case. "It seems too strange to think that all these bands have suddenly fallen prey to a phishing attack," says Boyd. "Someone may have worked out a genuine hack." If so, that means that the security breach lies within MySpace itself, and isn't a simple case of a user accidentally typing a password on a bogus site. "Either MySpace was hacked or certain accounts on MySpace were phished," says Roger Thompson, a security expert at Exploit Prevention Labs, who has posted a video of the Alicia Keys hack online.
The best way to remove any malicious code that may have been installed on your computer and more importantly, to prevent future assaults is to use free anti-virus software like Windows Defender or AVG, or to pay for a more full-featured product like Norton Internet Security 2008. While you're at it, check your online financial accounts to make sure there has been no unusual activity, and go ahead and change all your passwords too. Bottom line: just use common sense.