Phising’s New Target- IM Accounts
There is good news; finally, all the education, publicity and web chatter on phishing is showing results. Users have now become more careful about answering the requests for their ID information. They are leaning to identify the phishing attacks. But there is bad news also; pbhishers are adopting new enticements to attract unsuspecting victims. And the twist is that cyber criminals are hacking IM (instant messaging) accounts to attract people to their information-stealing sites.
On October 13, 2006, an employee from Yahoo discovered that her account had been used by scammers. They sent a link of a phishing site to her Yahoo messenger. The company said that probably, she had fallen for another scam through which the fraudsters got her login details.
The link took to the site hosted on 'Goecities', the free Web space service by Yahoo. The bogus site looked exactly like Yahoo's photos Web site. It asked visitors to enter their Yahoo login details. It asked visitors to enter their Yahoo login details. Yahoo shut down the scam Web site.
Representative from Yahoo said that education is necessary in fighting the problem. People should not blindly trust the links received in instant messaging, even if the link is from a known person. These links could be a part of an instant messaging worm 'orbait' for phishing scam.
The Rosenkrantz Group Product Manager for Symantec's Internet Security solutions puts forth that the basic rule is not to divulge any private detail in response to a free online service, an email or an IM. A legitimate merchant, ISP or financial service will never ask for your ID information, except on their usual log in page.
It is necessary to know that most of the IM systems use weak certification attestation schemes only. IM is not an instrument to exchange confidential information. Only some of the IM systems permit for encoding and advanced authentication. If you require exchanging confidential information through IM, then use a machine that lets you control the server. It should also provide for encoding and rational authentication.
Related article: Phishing With A Redirector Code
» SPAMfighter News - 19-10-2006