Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Users of internet chat services such as Google Chat have been hit by a major phishing attack aimed at stealing account log-in details, security researchers have warned.
The unsolicited instant messages urge users to click on a TinyURL link to watch a video, but the link takes them to a site called ViddyHo which asks them to fill in user names and passwords. The phishers can then use these details to hack into user accounts and send more malicious links.
Much of the focus around this attack has been on risks to Gmail account holders, in response to the Google Mail outage earlier this week. However, phishers are also targeting users of instant messaging systems from Yahoo, Microsoft and MySpace.
"This is, of course, a classic attempt to phish credentials from the unwary, " wrote Sophos senior technology consultant Graham Cluley in a blog posting. "The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet."
Users are also more likely to fall for this attack because the link comes from a trusted source, according to Rik Ferguson, solutions architect at security vendor Trend Micro.
"If the message has come from your friend, you're far more likely to click on it," he said. "It's also interesting to see link obfuscation techniques here, using the TinyURL service to mask malicious URLs."
Although TinyURL has since reportedly blacklisted ViddyHo, these kinds of attack are likely to increase because of the "added value of trust" enabled by using compromised accounts to send out the malicious links, explained Ferguson.
He advised users to make sure that the passwords they use to log in to financial sites are different from those they use for email, instant messaging and social networking accounts, and to ensure that any site asking for log-in details displays the padlock symbol.
Just a week ago, RSA Security reported that the number of global phishing attacks grew by 66 per cent last year compared to 2007, equating to 135,426 separate incidents.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.