Phishing Buddies

1 June 2005

Phishing scams have been casting their nets in two of the biggest Instant Messaging (IM) programs since the end of May. Though the scams are different, the underlying message is clear. The message I’m referring to is that phishing attacks have a new, less secure avenue in which to deceive end-users into coughing up personal information.

This is significant due to the fact that many people would whole heartedly accept messages from someone on their “Buddy” list, or from their IM provider while on the other hand people have grown increasingly suspicious of email regardless of who it comes from. People don’t apply the security measures such as Message Rules, spam filters, and 3rd party programs in IM’s like they do in email. With IM’s people tend to blow off the security. I think there is more of a mind set that IM isn’t a security hole. Well it is, and you need to treat any message that seems the least bit strange or suspicious with extreme scrutiny.

The Yahoo IM is your typical phishing scam. The attacker sends out a baited message to all the entries in the address book, and since the attack appears to come from someone you know, it becomes that much harder not to open. Last week the bait used Star Wars episode III free downloads, a week before that it was the 60th anniversary of end of WWII. The link used in the SW scam looks like a legitimate site where one could download free Star Wars games. Of course there is no game, but there is a key logger or some data grabbing code that has been waiting for some Star Wars fans. The bogus site appears as if it is a Yahoo premium link affiliate and the only way to gain access is to? Anybody? That’s right log in using your personal information, and the attacker’s code running in the background records it all. Now the attacker has your information and soon your Buddy list. Next week it will be some other topic that dominates the Media.

The AOL IM (AIM) scam is more of a Worm than your typical Phishing scam, but it may be more dangerous than the previous at this point in time. If attacked you will see a message in you AIM, which will say something like: “You have to see this movie it’s hilarious” and a link to supposedly view it. Instead of a funny movie however you download a Worm, which isn’t near as funny. Upon successful installation of the Worm (a variant of the Gaobot virus) the attack can potentially take control of your system and go after your contacts.

Both of these exploits stem from the inherent unsecure nature of most IM and IM users. Email has filters, probably at least two different anti-viruses working for ya, not to mention paranoia and suspicion working to protect you. On the other hand, how many people worry about the messages they get in there IM, or for that matter, how many IM users have a Content filter? Not near as many as with email. Granted, email is more widely used and is probably a better way to attack sheer numbers, but most of these have some sort of security in place. IM has far less regular users but most of them have little to no security.

Alright, so what do we do to protect ourselves? First, and it goes without saying, is to make sure your antivirus is up-to-date. You also want to watch your firewall for any strange services or programs that want to access the internet.

Other than that, with Phishing scams it’s in your hands. Don’t link out of your IM to a site where they want you to log in. This includes an IM coming from a close friend or what appears to be a legitimate site. The best thing to do is get in the habit of confirming these messages with the sender, it will take 2 seconds.

The AOL exploit is actually patched so run out and update your AIM and you should be protected from the Gaobot Variant. Other than that, just remember the cornerstone of personal Internet Safety: don’t select links sent from some random address.

Stay safe out there,

~ Chad

Chad Stelnicki

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.