Phishing links sent from the YM accounts of infected users

Dec 14, 2009 11:35 GMT  ·  By

Security researchers report on a new phishing campaign that circulates on Yahoo! Messenger and is instrumented with the help of hijacked accounts. A spammed rogue video link takes users to a fake Facebook login page.

The new attack was discovered by researchers from enterprise software giant CA. "While using Yahoo Messenger recently I received new IM Spam from my one [sic.] of my friends. Just by the look of it I could tell that it was most likely a malware related IM Spammed Message,” Ricardo Robielos III, a research engineer in CA's Internet Security Business Unit (CA ISBU), writes.

"Hii. http://priv[REMOVED]deo.com/live. Klik n login. Ok. .....!!" the rogue message reads. Clicking on the URL opens a fake Facebook login page, suggesting that the user needs to authenticate on the social networking website before being able to see the video.

Inspecting the source code of the page reveals that the login credentials are saved in a logs.php file on the same server and that the user is redirected to a female user's YouTube channel. The YouTube page looks legit and there is no information that the account's owner is involved in the scheme.

"Watch out for these spam messages; my friend was unaware that her account was sending spam,” the CA researcher advises. The spam is most likely the result of a malware infection, but the exact nature of this malicious application has not yet been determined.

Using instant messaging applications to launch attacks is not uncommon. Back in October, we reported on a Skype spam, which distributed scareware; however, that attack was instrumented through fake accounts. In September, Fortinet researchers documented a variant of the Pushbot worm that spread through spam messages on a variety of IM applications including AIM, MSN and Triton.

A similar attack was disclosed by Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) in May. Yahoo! Messenger credentials stolen from infected computers were being used to send spam when the account owners were supposed to be offline.