Want CNET to notify you of price drops and the latest stories?

Phishers target Yahoo Messenger

Phony messages direct people to a site that asks people for their Yahoo usernames and passwords.

3 min read
Yahoo's free instant-messaging service is being targeted by phishers attempting to steal usernames, passwords and other personal information.

Yahoo confirmed Thursday that its service, Yahoo Messenger, was being targeted by a scam. According to the company, attackers are sending members a message containing a link to a fake Web site. The fake site looks like an official Yahoo site and asks the user to log in by entering a Yahoo ID and password.

Related story
Does IM stand for
insecure messaging?

Trojan horses and other
attacks are galloping
toward instant-messaging users.

The scam is convincing because the original message seems to arrive from someone on the victim's friends list. Should the recipient of the phishing message enter his details on the Web site, the attackers can gain access to any personal information stored in the victim's profile and, more important, access to the victim's contact list and IM friends list.

A Yahoo representative told ZDNet Australia on Thursday the attack was not very widespread but that consumers should be aware it exists so they can protect themselves.

"Hackers have become very devious in their methods to obtain personal information," the representative said. "In this case, the hacker was able to trick the user into providing personal information by disguising their identity to make it appear that the message was coming from a trusted source."

During the past month, Microsoft's MSN Messenger service has been targeted by various pieces of malicious software, including a Trojan horse and a virus. In late February, Microsoft had millions of its MSN Messenger users update their client software in order to stop one of the worms spreading around its network.

MSN Messenger was an obvious target because of its popularity, said Graham Connolly, Australia and New Zealand manager of Websense, a Web-filtering and security software company.

"Hackers want to use IM as another attack vector to steal personal information. They hit MSN Messenger first because it is the most popular," Connolly said.

Connolly said that as e-mail filtering technology matures, attackers look for new ways to access confidential information.

"Content filtering, e-mail filtering and antivirus are now mature technologies, so the attackers need to find another way, and IM is becoming one of those ways--like spyware," Connolly said.

According to a survey of businesses published Thursday by Internet security specialist SurfControl, 90 percent of respondents said they have an Internet access policy--but about half have no policy concerning the use of IM and peer-to-peer applications.

Charles Heunemann, managing director in Australia for content-filtering company SurfControl, said IM and peer-to-peer communications are rarely encrypted, making them susceptible to snooping, hijacking and impersonation attacks.

"Serious security vulnerabilities such as buffer overflows, denial-of-service attacks and encryption weaknesses continue to be found and exploited in all popular instant-messaging clients," Heunemann said.

Heunemann said companies should protect themselves by enforcing strict policies regarding the use of IM and peer-to-peer applications in corporate environments.

"Left ungoverned, instant-messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data," he said.

Munir Kotadia of ZDNet Australia reported from Sydney.