Phishers target Yahoo Instant Messenger

Yahoo confirmed on Thursday its service was being targeted by a social engineering-based phishing scam. According to the search giant, attackers are sending members a message containing a link to a fake Web site. The fake site looks like an official Yahoo site and asks the user to log in by entering their Yahoo ID and password.

The scam is convincing because the original message seems to arrive from someone on the victim's friends list. Should the recipient of the phishing message enter their details, the attackers can gain access to any personal information stored in their profile and more importantly, access to the victim's contact lists and IM friends list.

A Yahoo spokesperson told ZDNet Australia on Thursday the attack was not very widespread but consumers should be aware it exists so they can protect themselves.

"Hackers have become very devious in their methods to obtain personal information. In this case, the hacker was able to trick the user into providing personal information by disguising their identity to make it appear that the message was coming from a trusted source," the spokesperson said.

Over the past month alone, Microsoft's MSN Messenger service has been targeted by various malware, including a Trojan horse and a virus. In late February Microsoft forced millions of its MSN Messenger users to update their client software in order to stop one of the worms spreading around its network.

MSN Messenger was an obvious target because of its popularity, according to Graham Connolly, Websense manager, Australia and New Zealand.

"Hackers want to use IM as another attack vector to steal personal information. They hit MSN Messenger first because it is the most popular," said Connolly.

Connolly said as e-mail filtering technology matures, attackers are looking for new ways to access confidential information.

"Content filtering, e-mail filtering and antivirus are now mature technologies so the attackers need to find another way and IM is becoming one of those ways--like spyware," said Connolly.

In a survey published by Internet security specialists SurfControl on Thursday, the company found although 90 percent of the respondents had an Internet access policy, around half had no policy concerning the use of IM and P2P applications.

Charles Heunemann, managing director of SurfControl in Australia, said IM and P2P communications were rarely encrypted, making them susceptible to snooping, hijacking and impersonation attacks.

"Serious security vulnerabilities such as buffer overflows, denial of service attacks and encryption weaknesses continue to be found and exploited in all popular instant messaging clients," said Heunemann.

Heunemann said companies should protect themselves by enforcing strict policies regarding the use of IM and P2P applications in a corporate environment.

"Left ungoverned, instant messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data," said Heunemann.