A new cross-site scripting worm is hitting Twitter users less than 24 hours after StalkDaily embedded itself in profiles across the micro-blogging system. This time it appears to be inspired by StalkDaily's alleged author, the mysterious Mikeyy Mooney.Thousands of duplicate messages have been posted on the site without the knowledge of account owners, all mentioning "Mikeyy" - a reference to the 17-year-old who has allegedly admitted being responsible for yesterday's StalkDaily attack.
Messages posted by unsuspecting Twitter users include:
"Man, Twitter can't fix shit. Mikeyy owns. :)" "Dude! Mikeyy! Seriously? Haha. ;)" "Dude, Mikeyy is the shit! :)" "damn mikeyy. haha." "Twitter should really fix this..." "Mikeyy I am done..." "MikeyyMikeyy is done.." "Twitter please fix this, regards Mikeyy"
Just like StalkDaily, the Mikeyy worm is using cross-site scripting to spread. If you visit the profiles of the Twitter users posting these messages (obviously, visiting those pages is a very bad idea) you will find that the CSS style sheet information contains suspicious content which attempts to load a remote script from a third party website.
The highly obfuscated script adds the malicious script tags to the brand new victim's profile and posts a status message about "Mikeyy".
If you're using Twitter today I would strongly recommend that you run a browsing solution which can help you defend against cross-site scripting attacks. For instance, the free NoScript plugin can be used with Firefox to make life much harder for the cybercriminals.
I'll be posting more information about the Mikeyy and StalkDaily attacks on Twitter on my blog on the Sophos website.
Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his other blog on the Sophos website you can find him on Twitter at @gcluley. Special to Dark Reading.