Warning: That Yahoo IM from me is malicious

Writer is duped for the first time ever by a phishing attack; feels violated and ashamed.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

It finally happened.

I fell for one of those silly phishing scams. The kind that I previously took sanctimonious pride in having avoided. The kind where you get a frantic e-mail or IM from a friend saying that a malicious link was clicked, a secret password typed in, and that they didn't know better.

I feel so ashamed, guilty, violated...stupid.

In case you haven't heard yet, an IM-based worm was spreading itself via Yahoo Messenger on Friday, propagating through people's contacts lists and directing hapless victims to a malicious Web site. The site looks like a legitimate Yahoo 360 log-in page and prompts you for your username and password, which it then stores to be used for later nefarious deeds.

The IM looked innocent. Too innocent. I should have been tipped off by the smiley face emoticons surrounding the link. But I clicked it anyway in the midst of multitasking at work. It came from, or at least it was sent from, the account of a trusted source--a friend who is a longtime programmer and Web aficionado. I clicked the link, thoughtlessly typed in my password, and arrived at my 360 home page. Nothing new here. I e-mailed my friend, asking him what was up with the link. He e-mailed back that it's a phishing scam and not to click on it. Too late.


My heart raced as I started sending warning IMs to everyone in my contact list and e-mails to other people. I started getting IMs from other friends who were nabbed by the same culprit. I couldn't believe this was happening to me! I've been covering the Internet for more than a decade. I know better than to click on an unrecognized Web link, even if it comes from a friend.

You may trust that your friends take precautions, but in the Digital Age you are also precariously linked with all the contacts in your friend's e-mail contacts list, and their contacts, and so on. I realized I had gotten an IM STD. Sending those mea culpa IMs to my friends and (cringe) professional contacts was the electronic equivalent of phoning someone to tell him that he might want to visit a physician after a night of unprotected "networking."

I know I'll get teased and criticized and called names now that I've gone public about my indiscretion. But if my story can help even one person from being victimized like I was then I'll feel it was worth it.