More evidence that phishers are widening their net. Munir Kotadia of ZDNet Australia reports that Yahoo’s free instant-messaging (IM) service is being targeted by phishers in an attempt to steal usernames, passwords and other personal information.
Yahoo confirmed on Thursday its service was being targeted by a phishing scam. According to the search giant, attackers are sending members a message containing a link to a fake Web site that looks like an official Yahoo site and asks the user to log in by entering their Yahoo ID and password.
The scam is convincing because the original message seems to arrive from someone on the victim’s friends list. Should the recipient of the phishing message enter their details, the attackers can gain access to any personal information stored in their profile and more importantly, the victim’s contact lists.
The bigger point about this is that any kind of password may be enough for the phisher. WIth Yahoo! the successful phisher may be able to get quite a lot of personal data for a future social engineering attack, and may even be able to access payment details such as addresses from within the profile. A phisher could also access the user’s Paypal account, redirect shipments, learn about the user’s investments, impersonate the user in auctions, etc etc. I’m not sure whether the phisher could access credit card details, but it’s feasible, I guess.