On the pages hit by the attack, the worm converted legitimate links to those that brought users to a phishing site that attempted to obtain personal information, including their MySpace username and password. Having that information could enable a third party to pose as a MySpace user and perform additional fraudulent activities.
MySpace was quick to remove the profiles, and it hasn't been made public yet if anyone actually fell for the scams the infected pages provided. Most of the sites hosting the scams were also taken down, making the response overall a very quick one. The vulnerability was apparently well known over two weeks ago, but a fix was not applied in time.