Charles Heunemann, general manager for Internet security specialist SurfControl, told ZDNet Australia that earlier this week, researchers from the company noticed suspicious job offers being sent to ICQ members that were based in Australia.
"We set up an ICQ account and in a very short space of time the threat analysis team started getting job offers -- they were saying you needed to have a Commonwealth Bank account," said Heunemann.
Heunemann said that because ICQ is one of the oldest instant messaging applications, it still has a large userbase and cybercriminals are most likely using automated bots to search through users' membership details to find potential victims.
"When you register for ICQ you tend to tell them your country. If you want to target Australian banking customers then you are probably going to need some kind of automatic technology to identify them and then get those messages out," he said.
The text of the attack is as follows:
172-648-577 (09:37 AM) :
Dear Sir or Madam
A French LaserMetalSooftware (sic) Company is offering a decent home-based job. No experience needed.
1. You should be the resident of Australia
2. You should have a CommBank account.
3. You should be able to check your email and icq during the day.
If you have any question please contact our HR ICQ: 225152354
The Commonwealth Bank did not respond to repeated requests for comment.
Phishing is a global phenomenon but Australian organisations are increasingly being targeted by criminals.
Earlier this week, online job site Seek was hit by an e-mail-based phishing campaign that attempted to gather confidential details from advertisers.
While speaking at an ID Management conference in Sydney earlier this month, Attorney-General Philip Ruddock said phishers often use the details collected from these attacks to steal the victims identities, which could have a "devastating emotional and financial impact".
SurfControl's Heunemann said combined instant messenger and phishing attacks are likely to increase: "Spam through ICQ is not new and neither is phishing but a combination of the two is new and I think this is another thing we are going to see more of".