14 DAY TRIAL // The popular photo library iStockphoto has been targeted by cyber-criminals, who have launched a phishing attack on the website's forums and user e-mail service. The attack has been blocked, but users are advised to change their account password.
iStockphoto is considered the pioneer of a concept known as microstock photography, and is one of the preferred stock photography services for marketers around the world, because of its very low and flexible prices. The website, which dates back to 2000, has been acquired by stock photography giant Getty Images in February 2006.
On March 3, the contributors and users of the service experienced problems while trying to access the website. It was later explained in a technical support document that the problems were caused by a phishing attack launched by unknown parties against the forums and sitemail. "We strongly urge all users who logged in at some point today [March 3], to change their password. In addition, do not open any sitemail until we can clear out the malicious messages," the website management advised.
At first, the details were scarce and the support page was not helping raise awareness either. Therefore, the site's security team resorted to a more detailed message posted in the "Community news" box. It explained that the attack involved spamming a fake iStockphoto authentication page hosted on an external server.
"This attack created a fake istockphoto.com login screen, prompted the user for a username & password, saved them to a malicious server, then redirected the user back to the iStockphoto main page," the notification read. It was also stressed that no credit card information was at risk, because such data was never stored on the company's servers.
However, while this incident might not have put significant amounts of sensitive user data at risk, it could result in collateral damage. "The danger is that so many people use the same password for every single website they access. That means, if they have your iStockphoto password, then they also have your Amazon password, your eBay password, your PayPal password, your Facebook password, your Twitter password, your Hotmail password...," Graham Cluley, senior technology consultant at Sophos, explains.
This danger is also acknowledged by the website's staff, who recommend that "As a precaution, please make sure you reset all your online passwords on other sites if they happen to be the same as the one you use on iStockphoto." Graham Cluley warns that "It's crazy using the same password for every website you access. If you do that, change your habits. Right now."