Mar 25, 2005 (07:03 AM EST)
First IM Phishing Attack Hits Yahoo

Read the Original Article at InformationWeek

The first phishing attack carried out via instant messenger tried to trick Yahoo Messenger users this week into giving up information that would let attackers access their IM account and contact list.

Yahoo Messenger users have been spimmed (spam for IM) with messages that include a link to a bogus Web site that looks like an official Yahoo page, which asks them to log in with their Yahoo username and password. Users who fall for the ploy give hackers access to any information in their Messenger profile, as well as full access to their contact, or buddy, list.

A security firm that specializes in IM solutions for corporations issued a warning Friday about the Yahoo phishing scam. "With this year's explosive growth in IM worms and attacks, organizations can not afford to leave their IM users unprotected and unmanaged," said Francis Costello, the chief marketing officer of Akonix Systems, in a statement.

IM phishing can be not only dangerous, but difficult to control by IT, according to several recent surveys, since most companies don't have formal policies in place for managing instant messaging.

Earlier this week, content filtering vendor SurfControl released the results of a poll that showed 49 percent of enterprises reported they had no policy concerning the use of IM and peer-to-peer applications. Yet 78 percent of workplace IM users have download free IM software from the Internet -- such as Yahoo Messenger -- without being aware of the risks.

Other instant messaging clients have recently been the target of attacks, albeit not phishing scams. Earlier in March, Microsoft's MSN Messenger was hit with a rapidly-developing series of worms, dubbed "Kelvir," that if it infected a machine, hijacked the PC for the hacker's use.