Twelve Students Arrested For Taking Part In A Major Phishing Operation
The Romanian Direction for Investigating Organized Crime and Terrorism (DIICOT) along with local authorities have descended on multiple locations in several cities and arrested 20 persons suspected of being members of a cybercriminal gang. The seven-year-long operation, which involved phishing and fake eBay auctions, is said to have brought the cybercrooks illegal gains of over 500,000 euros.

According to the investigators, the network was very well structured, with its members operating out of Romania, Italy, Spain and the UK. The Romanian branch was co-ordinating the operation and its members were moving from city to city in order to avoid being caught.

However, an important nucleus was formed in Iasi, because it is one of the largest cities in the country and, most importantly, a big university center. This allowed the leaders of the gang to recruit students from the specialized universities here, who were willing to earn some extra cash.

A judge has decided that twelve of the individuals will be detained under temporary arrest for 29 days, while another seven have been released, but are not allowed to leave the country. All of them were studying in Iasi, at the Faculty of Automatic Control and Computer Engineering from the "Gh. Asachi" Technical University, or at the Faculty of Computer Science from the "A. I. Cuza" University. The oldest of the arrested students is 25 years old.

"The DIICOT prosecutors have coordinated an operation to dismantle an organized criminal group, which between 2002 and 2009 has organized fictitious auctions on the Internet, especially on the www.ebay.com, www.ebay.it and www.ebay.ca websites, the cloning of the websites of several banks from UK and Italy, such as www.poste.it, www.ubibanca.it, www.cartasi.it, www.hsbc.co.uk and have used, without authorization, the credit card details obtained through phishing, in order to transfer sums of money into other accounts under the control of the group's members," Daniel Horodniceanu, one of the prosecutors, announced.

He also noted that, given the current evidence, the prosecution could legally prove only a fraud of 280,000 euros, but that the real amount was likely to be much bigger.

The members of the network living in other countries were withdrawing money from the targeted banks and were wiring the cash to the leaders in Romania, through Western Union. One interesting aspect is that the students, who were actually doing all the work, did not earn too much, compared with the heads of the operation.

For example, one of the arrested individuals was living in a student dorm, because he couldn't afford to pay rent for an apartment in the city. The parents of most of the students were still sending them food and money every month. Meanwhile, the ringleaders were living in luxury flats and had expensive cars.

"A total of 22 raids were performed in different locations across the counties of Iasi, Valcea, Mehedinti and the municipality of Bucharest, at the homes of the group's members. Three luxury cars, gold jewels weighing 100 grams, 2065 euros, 2150 British pounds, 2200 Romanian lei, 20 notebooks and desktop computers, 30 memory cards, hundreds of CDs and DVDs and two plasma TVs were seized," Chief Commissioner Gheorghe Zbarnea, the head of the Brigade for Fighting Organized Crime, Iasi branch, informed.


The names of the individuals brought before the judge are: the brothers Andrei and Ciprian Ilasoaia, Valentin Pintiliasa, Mihai Adrian Slatineanu, Paul Andrei Chiriac, Catalin Muraru, Ciprian Micutaru, Bogdan Tirpescu, George Duduman, Andrei Corneliu Ciubotariu, Ionut Baraganescu and Florian Martin. All of them stand accusations of constituting and associating themselves in an organized criminal group, adhering to or supporting in any way an organized criminal group, committing computer infractions, gaining access to a computer system without authorization, unauthorized possession and utilization of a password, access code in order to commit computer crimes, and two have already admitted to their actions.

Research Shows Economic Slump Prompting Surge In Online Criminality

Malware volumes grew by a huge 300 per cent during 2008, fuelled in part by continuing job uncertainty, according to new research from security-as-a-service provider ScanSafe.

The firm analysed more than 240 billion web requests in over 80 countries last year, and found a particular growth in exploits and iframe attacks, which rose 1,731 per cent, and data-theft Trojans, which increased by 1,559 per cent.

Mary Landesman, senior security researcher at ScanSafe, suggested that the rise in criminal activity could correspond to the decline in the global economy.

"We saw a continued acceleration of web-delivered malware in 2008, reaching significant peaks in October and November. The numbers are staggering," she said.

"It could be that the increasing job losses and uncertainty are fuelling the surge in criminal activity. It is also likely that cyber crime is a viable business opportunity in a climate where legitimate opportunities are becoming increasingly limited."

ScanSafe also warned that trusted sites are now statistically the most dangerous on the web, as they are frequently hacked using techniques such as SQL injection attacks. The firm recorded 780,000 malicious web pages in April alone as a result of a single SQL injection attack.

Careers website Monster.com and USAJobs.gov, the official job site of the US Federal Government, have published security alerts to their customers warning of a serious hacking attack.

Feeling a sense of deja vu? Well, you should be as this has happened before.

It appears that Monster.com's database and USAJobs.gov's database were compromised and contact and account information was stolen. Data stolen included users' login names, passwords, email addresses, names, phone numbers and some demographic data.

Here is a short video I have made, explaining the possible impact of this security breach - and explaining why you should take this opportunity to think long and hard about whether you are acting securely with your website passwords:


What the Monster.com security breach teaches us about passwords from Sophos Labs on Vimeo.

Monster has published a warning for its users, advising them to change their passwords. A similar alert has appeared on the USAJobs.gov website, whose database is run by Monster.



Although the warnings are keen to emphasis what information has not been breached during the attack (for instance, social security numbers), it is important to understand the serious risks that Monster and USAJobs customers may be placed in because of this incident.

One very real risk is that hackers will use the email addresses and personal information they have received to mount a realistic phishing campaign, attempting to gather more sensitive information about victims. Phishing emails which attempt to look more legitimate by using the recipient's real name and other personal information (such as user id, phone number or location) are always more successful at social engineering further details that could be used for indentity theft out of people.

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

That means that if hackers have managed to extract your Monster.com or USAJobs.gov password in this attack, they might be able to use it to break into your email accounts, or the likes of eBay, PayPal, Amazon, and indeed any other website that you have used the same password for.

So, if you use Monster.com or USAJobs.gov you should change your password now. Choose a sensible password that is not a dictionary word and that is hard to guess. And *then* change your passwords at any other site where you might be using the same password. Make sure, of course, that it's not the same password as the one you are using at Monster - you don't want to make that mistake again.

Worryingly, this isn't the first time that Monster and USAJobs have been targeted by hackers who have stolen data about their users. 18 months ago, as this 2007 report from Reuters reveals, hackers used the Monstres Trojan horse to steal details of jobseekers via recruiter accounts. That hack was unsurprisingly followed up by a widespread phishing email campaign.

Hundreds of Twitter users have been hit by another attack on the popular micro-blogging site, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say

hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com

are being spammed out as Tweets.



However, the index page of that website serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com.



Clearly, if a hacker has managed to ascertain your Twitter password there is a chance that they may have also compromised your system in other ways too.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

As we don't yet know how the hackers compromised accounts, it wouldn't do any harm to scan your computer with an up-to-date anti-virus product either.

Twitter has confirmed that approximately 750 accounts were hijacked by criminals during the course of this attack, and says that they have reset the passwords of all compromised accounts. That should stop the tidalwave of spam messages advertising adult webcam websites for now.

But there is still a lack of clarity of how the accounts were compromised in the first place.

Finally, one extra thing to throw into the mix. Last month, Facebook users reported seeing a very similar message.



You don't have to be Albert Einstein to put two and two together, and deduce that these attacks must be related.

We're seeing more and more attacks from spammers, phishers, malware authors, scammers and identity thieves against the users of social networks like Twitter and Facebook. These aren't just proof-of-concept attacks in controlled conditions - they're full-blooded assaults seen in the wild every day, making money out of real people.

Source: Sophos.com

Waiting in Wings of Pirate Bay Trial

Swedish police raided a location near Stockholm last month where computer equipment containing a huge bounty of alleged pirated material was seized by authorities.

The raid was carried out on 9 February, but private copyright advocacy outfit Antpiratbyrån only revealed that the bust had taken place late on Friday.

A server said to belong to a Nordic file-sharing ring known as Sunnydale was seized from a location in the Brandbergen neighbourhood, south of Stockholm, according to the anti-piracy agency.

It’s understood the server contained data equivalent to 16,000 movies.

"The well-organised pirates on the scene seem to have an inflated sense of their own ability to conceal themselves, but this raid shows that we can get to them,” said anti-piracy lawyer Henrik Pontén in a statement.

“Copyright applies to the internet too and we will continue to prioritise efforts to counteract these well-organised groups."

He claimed the Sunnydale ring, which consists of ten servers that contain some 65 terabytes of copyrighted material, had collapsed following the raid.

Pontén also claimed that the Sunnydale operation was the source of all pirated material found on The Pirate Bay.

However, The Pirate Bay co-founder, Peter Sunde dismissed some of the lawyer’s claims.

"More than 800,000 people have uploaded to The Pirate Bay, so I don't believe it's the source of everything. But it is possible that it's a major source," he told Swedish newspaper Svenska Dagbladet.

Sunde was the main spokesman during the now infamous entertainment industry versus The Pirate Bay trial that drew to a close last week. A judgment isn't expected until 17 April.

Source: TheRegister

Vulnerabilities on a Daily Telegraph website have been exposed by serial grey-hat hacker Unu.

In a posting on the hackersblog site Unu outlines a number of SQL injection security weaknesses on the newspaper's website. The entry, which includes screenshots to substantiate the claim, claims that subscriber email addresses were potentially left open to harvesting as a result of security shortcomings with the site.

More seriously, passwords in clear text were also reportedly exposed.

In a statement, Paul Cheesbrough, chief information officer for Telegraph Media Group, said the attack affected a partner site and not the main Telegraph website.

"The hack interrogated database tables behind one of our partner sites - search.property.telegraph.co.uk - and exposed a weakness in the way that particular site had been coded," Cheesbrough said.

"The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention."

The hacker first became famous for scouring the websites of security vendors, such as Kaspersky Lab and BitDefender, for problems. He's since moved on to looking for flaws on more mainstream websites, such as those run by Camelot and the Daily Telegraph.

Trend Micro notes recent research found that three in five (61 per cent) of people use the same password for multiple sites. The compromise of any one site - even if the information it holds isn't particularly sensitive - therefore poses an identity theft risk for those who fail to practice password security.

Here are some of the database names and their version:



Users passwords are in plain view:



Besides numerous interesting tables there is one that contains email addresses of those receivingt he newsletter. A real treasure for spammers. In the syntax you can see there quite a bunch of them. I concatanated the 700.000th email address.

Other sites also vulnerable to CSS attack

eBay scammers have been exploiting unpatched vulnerabilities in the Firefox and Internet Explorer browsers to deliver counterfeit pages that try to dupe people surfing the online auction house to bid on fraudulent listings.

The attacks managed to inject eBay pages with hostile code by exploiting bugs long known to afflict Firefox and IE. While eBay has managed to block the exploit from working on its domains, other websites that accept user-generated content may still be vulnerable to the attacks, web security experts warn.

Firefox security volunteers say they are in the process of patching the vulnerability. For their part, Microsoft officials say the exploits aren't the result of a vulnerability in IE but rather of websites that fail to properly protect against such attacks.

The evil genius behind the eBay scheme managed to pull off what amounts to an XSS, or cross-site scripting, attack that injected forbidden javascript elements stored on third-party websites. That allowed the eBay pages to contain outside email links and other unauthorized code while still evading toolbars designed to detect fraudulent listings.

In addition to injecting a link that automatically prompts users to email the seller at an aol.com address, the scam used a random number generator to change the item number each time the page was loaded. Item numbers are supposed to be unique and are used to report fraudulent listings. Changing the number made it harder for eBay's fraud busters to remove bogus auctions.



The attacks targeted Firefox by exploiting the way the browser implements what's known as XBL, or XML binding language. By invoking a rogue CSS, or cascade style sheet, hosted on a third-party site, the Mozilla browser was tricked into running forbidden code that injected fraudulent content into the listings. Over the past week, there has been considerable debate among Mozilla security volunteers about whether the condition amounted to a security vulnerability or an intended feature. They decided to make changes to the browser after witnessing the eBay scams that abused it.

"Patches are being constructed to get rid of an existing useful feature due to the patent inability of some websites to take elementary protective measures even after 5 years of the feature existing and after being repeatedly told to NOT link to external sheets by all browser vendors," one debate participant wrote El Reg in an email. "Note that the patch won't really help eBay much unless they really do start filtering the CSS they allow, since so much can be accomplished with just CSS."

A similar bug also related to off-site CSSes allowed the eBay attacks to work flawlessly on IE browsers, as the above screenshot makes clear. The exploit targeted IE functionality commonly referred to as expressions that has long been a known vector of XSS exploits. While IE 8 has been locked down to prevent such attacks, versions 6 and 7 of the Microsoft browser have not, and Bill Sisk, Microsoft's security response communications manager, said there are no plans to add such protections to the older browsers.

"Our investigation has shown that it is not a vulnerability in Internet Explorer," Sisk wrote in an email over the weekend. "In fact, the claim represents a method by which malicious attackers can exploit specific functionality in websites to bypass security measures. The nature of these attacks is not new and website operators commonly have protections in place to mitigate against such attacks."

Except when they don't, as was the case last week when eBay was hit by the attacks. Company spokeswoman Nichola Sharpe issued a statement that read in part: "This is not a new security threat, our online security experts are already aware of this and have identified it as a known bug in Firefox. eBay utilizes sophisticated security technologies to protect our customers against attacks such as this. We continually update our security to deal with emerging threats - and have done so with this threat."



Maybe, but eBay took more than 24 hours to remove one such fraudulent listing after it was reported, said Cefn Hoile, a browser security expert who first reported the Firefox issue.

"eBay has to take some responsibility for sure," Hoile wrote in an email. "They chose to serve this content which incorporated the third party stylesheet."

The only way to effectively protect users from such attacks is to white-list filter a set number of CSS functions deemed to be safe and to block everything else. That may be patently obvious to some, but if eBay has only now gotten around to implementing such measures, it's a good bet plenty of other websites are still wide open to this attack. Which means we wouldn't be surprised to see more attacks like these coming to a Web 2.0 site near you.

Between three to five per cent of corporate systems are infected by bots, according to a study by security firm Damballa.

The finding comes from Damballa itself and is being used to promote the need for its line of security appliances, designed to block communications between infected hosts and zombie-control servers, as an added layer of protection in addition to conventional anti-virus defences. Self-interest aside, the Damballa study may point to shortcomings in conventional anti-virus software that are well worth considering.

A study of antivirus scanning tools by Damballa over the last six months found that only 53 per cent of 200,000 malware samples were detected by conventional scanners on the day they first appeared. Around one in seven (15 per cent) of the sample were undetected even after 180 days.

Damballa reckons the average gap between malware release and detection using conventional antivirus is 54 days.

The British newspaper Mail Online reports that a local postman was scammed out of his life savings by an an attractive female "friend" he met on the popular online community site MySpace.

Saving the Damsel in Distress

The postman, Shane Symington, seems like a nice fellow who was simply trying to help a fellow human being. He befriended an American woman named 'Angela Gates' on MySpace in 2007. After a few weeks of friendly banter, the woman began asking for money to pay for her mother's funeral and for medical expenses.

What could Shane do but rush in and save her from her predicament? She needed him!

In order to hit every soft spot Shane had, 'Angela' also told him she needed more money to pay for legal fees that would allow her to inherit a $2 million piece of property. Anyone who's studied Advanced Fee Fraud scams will recognize this kind of story.

Damsel Turns Out to Be a Dude

Unfortunately, it appears Shane hadn't studied much about scams. It turns out this attractive, bikini-clad and potentially rich American woman was really a Nigerian man. Surprised? I doubt it.

After emptying Shane's bank account the Nigerian man even contacted Shane and admitted his fraud, but the story doesn't end there.



From the Mail Online:

He was then contacted by another woman, again from America, claiming she had also been caught in the scam.

He said that he then helped pay her legal expenses and the cost of hiring two ex-FBI agents in an attempt to regain the lost money for both of them.

Mr. Symington said that he now believes that these people are also involved in the scam. He said that he had paid out more than £30,000 to them, bringing his total losses to more than £130,000.

Ouch!

The lesson to learn here is that when this scammers find a victim, they hit them with multiple scams from multiple people until they have milked their target completely dry.

What does Shane have to say about all of this:

I feel sick from it all, I feel disillusioned, they have just played on my good nature. I've lost my life-savings, I have two loans and credit card debts, I'm in huge debts because of all of this.

You just can't trust anyone on the internet. I want to warn people but I know I won't be the last to fall for something like this.

The police in Hampshire working the case said that there's little they can do to recover the money because of the current political situation in Nigeria.



What Can We Do?

These stories are hard to read. We can't believe someone can be so easily manipulated. So what can we do? I suggest you help your friends, relatives, and neighbors by educating them about these kinds of scams. Shane said it best - "I won't be the last to fall for something like this."

Don't let it happen to someone you know.

Three in four phishing sites are hosted on compromised servers, according to a new survey.

A study of 2,486 fraudulent websites found that 76 per cent were housed on hacked webservers, typically pwned after hackers identified well-known vulnerabilities using search engine queries. Free web hosting for fraudulent websites was used in just 17.4 per cent of cases.

The paper, called Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing, by security researchers Tyler Moore and Richard Clayton, also found that a sizeable minority of compromised systems were serial victims of attack.

One in five (19 per cent) were hit again less than six months after a phishing-related hack attack. That's because legitimate owners might turf out fraudsters from their systems but they often fail to fix underlying vulnerabilities that let them in.

Facebook reject 'martial law' app vetting idea

A new strain of the Koobface worm is spreading across social networking sites including Facebook, MySpace and Bebo.

The malware posts invitations to the friends of infected users inviting them to view a video. The linked website tries to trick prospective marks into believing they need an updated version of Adobe Flash Player plugin to view the clip. The software offered is, of course, loaded with Windows-specific Trojan code. This malware establishes a back-door on compromised Windows machines.

A write-up of the assault, including screenshots, can be found on Trend Micro's website here.

The attack follows the appearance of two rogue applications - "Error Check System" and Facebook closing down - last week which used misleading messages in order to hoodwink users into activating software packages. Neither app spread malware as such but Error Check System has been linked to indirect attempts to attract surfers to sites punting rogue anti-malware (AKA scareware) packages.

Security watchers, such as Rik Ferguson at Trend Micro, responded to the twin threats by urging Facebook to vet applications. Facebook founder Mark Zuckerberg rejected the idea on Monday. "There will occasionally be some applications that people don't like," Zuckerberg told the BBC Newsbeat. "Our philosophy is that having an open system anyone can participate in is generally better."

Facebook spokesman Simon Axten went much further along this path arguing that vetting applications after two problems is like saying "there have been two robberies, we need to implement martial law in the city". More than 660,000 developers write for the platform and only a tiny, tiny percentage are doing anything potentially untoward, he told CNet, adding the site employs a team that investigates applications that behave suspiciously, he added.

Source : The Register

It May Be "Salami Slicing." It May Be Petty Theft.

The latest identity theft scheme doesn't aim to empty your debit account or charge you to the credit limit—not yet anyway. According to The Boston Globe, at least 800 credit and debit cardholders have reported finding tiny fraudulent charges on their statements in recent weeks.

The charges range from 21 to 48 cents, and are billed under at two phony business names: "Adele Services" and "GFDL."

The mysterious charges have lead to a range of speculation over the nature of the scam. Some think that the small charges are meant to test the validity of a registry of stolen credit card numbers which may have been resold by the original thieves. If the theory is correct, those whose cards have already been charged can probably expect to be targeted for much larger amounts down the line.

A Slice of Salami

A less likely theory parallels the scam attempted by the main characters in the movie "Office Space," which featured three disgruntled computer programmers who attempt to slowly embezzle money from their company, pennies at a time. The scheme is sometimes referred to as "salami slicing", but usually targets businesses or customers rather than an unconnected group of individuals.

If this theory holds, those who fail to notice that their accounts have been compromised will continue to be targeted for small amounts of money indefinitely. Most likely, the thieves would have to create new false companies with each wave of thefts.

Plan of Action

Regardless of the intent of the perpetrators, the course of action for those who notice small, unexpected charges on their debit and credit card statements is the same:

1. Report the charges to your bank or other financial institution.
2. Report your card stolen so that you can be issued a new credit card and credit card number.

As always, it's important for everyone to pick carefully through their statements each month (if not more frequently,) looking for charges they don't recognize. Whether a questionable charge is 1 cent, $1, or $100, it should always be treated as a potentially serious problem.

It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.

Here's How It Works

Researchers at Trusteer recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:

* A user opens a browser and logs into their banking web site
* Leaving that browser session open, they open another browser window to check on their Webkinz or some other web pursuit.
* After a time, a pop-up window opens — supposedly from their bank web site — asking for them to re-enter their username and password.
* Since the user has recently logged in to the targeted web site, they are more likely to enter their info.

That's it! Their login credentials are now in the hands of the scammers.

What Makes It Possible?

A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.

From Trusteer:

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

How Can You Protect Yourself?

Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.

Until then, Trusteer recommends the following preventative measures:

* Have an up-to-date anti-virus installed
* Be suspicious of any pop-ups asking you to login

and most of all...
* Log out of banking or other sensitive sites before heading over to Pogo.com for your bingo fix.

Learn more about this attack by downloading Trusteer's security advisory http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Did that get your attention? Scammers are hoping it will.

Breaking News Malware Emails

An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported that emails are showing up that read something like this:

Sample Emails

"

Subject: Breaking news

Barack Obama refused to be the president of the United States of America

Yours Sincerely,
Cecily Lynn

"

Subject: What is going on with our country?

Obama has gone

Yours faithfully,
Rodney Lynch

The link in the actual emails (we're not linking to anything in the examples above) point to the following site:



What is the Threat?

The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:

Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:

* harvesting sensitive information on your computer
* turning your machine into a spam zombie
* establishing a back door on your computer that will allow it to be remotely accessed

How Can I Protect Myself?

Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?

Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.

By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.

Gmail and Yahoo account holders among those targeted in widespread scam

Users of internet chat services have been hit by a major phishing attack aimed at stealing account log-in details, security researchers have warned.

The unsolicited instant messages urge users to click on a TinyURL link to watch a video, but the link takes them to a site called ViddyHo which asks them to fill in user names and passwords. The phishers can then use these details to hack into user accounts and send more malicious links.

Much of the focus around this attack has been on risks to Gmail account holders, in response to the Google Mail outage on Tuesday. However, phishers are also targeting users of instant messaging systems from Yahoo, Microsoft and MySpace.

"This is, of course, a classic attempt to phish credentials from the unwary, " wrote Sophos senior technology consultant Graham Cluley in a blog posting. "The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet."

Users are also more likely to fall for this attack because the link comes from a trusted source, according to Rik Ferguson, solutions architect at security vendor Trend Micro.

"If the message has come from your friend, you're far more likely to click on it," he said. "It's also interesting to see link obfuscation techniques here, using the TinyURL service to mask malicious URLs."

Although TinyURL has since reportedly blacklisted ViddyHo, these kinds of attack are likely to increase because of the "added value of trust" enabled by using compromised accounts to send out the malicious links, explained Ferguson.

He advised users to make sure that the passwords they use to log in to financial sites are different from those they use for email, instant messaging and social networking accounts, and to ensure that any site asking for log-in details displays the padlock symbol.

Just a week ago RSA Security reported that the number of global phishing attacks grew by 66 per cent last year compared to 2007, equating to 135,426 separate incidents.