Yahoo IM Phishing Attack Might Be Glimpse at Future

Users of Yahoo's (Nasdaq: YHOO) free instant messaging service have been targeted by a phishing attack, one of the first widespread attempts to use the messaging medium to pilfer personal information.

Targets of the scam are sent a link that, when clicked, takes users to what appears to be a Yahoo site that asks for users' login and password. That information can then be used to access whatever information a user might have in password-protected accounts.

The messages are disguised to appear as if they are coming from someone on a user's "buddy list," making it appear to be trustworthy from the outset. Security experts said the phishing attacks are probably not as serious as others that use e-mail to obtain everything from bank account to credit card numbers. Yahoo said it has received few reports of the attacks.

Emerging Threat

However, security experts say they likely represent the leading edge of an emerging threat to IM and to the growth of the messaging medium even as portals such as Yahoo, AOL and MSN hope to make it a key technology to keep users connected on PCs, portable computers and hand-held devices.

In recent weeks, both AOL and Yahoo have inked deals to have their IM platforms integrated into the Blackberry hand-held line from Research in Motion, just a part of a broad effort to help IM migrate from desktops to a range of mobile devices.

Because IM is one of the core features for which users turn to portals -- along with e-mail and search -- attacks on a single platform could drive users to competitors, though such a trend would likely be short-lived, since most platforms are seen as equally susceptible to various types of attack. Several IM worms have already circulated, and there have been scattered reports of phishing attempts using instant messaging platforms in the past.

Ripe for the Picking

Search Engine Journal Editor Lauren Baker noted that many networks have e-mail filters that can identify and stop many obvious phishing attempts, but that very few filters for IM are in place, making IM "an attractive target for phishing schemes."

Security firm Akonix said some of its enterprise clients reported the attack. In addition to a lack of filtering -- Akonix said fewer than 10 percent of enterprises filter IM traffic -- IM is seen as a heightened risk because in many settings, users have downloaded the freeware on their own.

The result is few policies about how to use IM to maintain security, Francis Costello, chief marketing officer of Akonix, said. For instance, most businesses do not have guidelines about when to open an attachment or click on a link in IM but do have such rules for e-mail.

"Phishing scams target sensitive data access utilizing unsuspecting employees, and worms can quickly compromise entire networks," Costello said.

Impact Muted

Sophos antivirus senior technology consultant Graham Cluley told the E-Commerce Times that phishing might even be more effective in instant messaging environments, where users make faster decisions about clicking on links or opening attachments and where messages almost always -- at least until recently -- come from trusted sources.

"The social engineering aspect of phishing is a good fit for IM," Cluley said. He agreed that many organizations leave "an open back door" for attacks by not protecting IM -- with scanning and policies about opening attachments or following links -- to the same degree as e-mail.

"Businesses that have antivirus protection at the e-mail gateway could be undoing all their good work by allowing staff to use IM services that they download and use on their own," Cluley added.

So far, the dramatic rise of fraud via phishing and other means has yet to put a damper on the growth of e-commerce. A recent report from Verisign said that consumer confidence in Web transactions continues to grow, as do overall sales, despite the dramatic rise of online fraud.