Users of internet chat services such as Google Chat have been hit by a major phishing attack aimed at stealing account log-in details, security researchers have warned.
The unsolicited instant messages urge users to click on a TinyURL link to watch a video, but the link takes them to a site called ViddyHo which asks them to fill in user names and passwords. The phishers can then use these details to hack into user accounts and send more malicious links.
Much of the focus around this attack has been on risks to Gmail account holders, in response to the Google Mail outage earlier this week. However, phishers are also targeting users of instant messaging systems from Yahoo, Microsoft and MySpace.
"This is, of course, a classic attempt to phish credentials from the unwary, " wrote Sophos senior technology consultant Graham Cluley in a blog posting. "The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet."
Users are also more likely to fall for this attack because the link comes from a trusted source, according to Rik Ferguson, solutions architect at security vendor Trend Micro.
"If the message has come from your friend, you're far more likely to click on it," he said. "It's also interesting to see link obfuscation techniques here, using the TinyURL service to mask malicious URLs."
Although TinyURL has since reportedly blacklisted ViddyHo, these kinds of attack are likely to increase because of the "added value of trust" enabled by using compromised accounts to send out the malicious links, explained Ferguson.
He advised users to make sure that the passwords they use to log in to financial sites are different from those they use for email, instant messaging and social networking accounts, and to ensure that any site asking for log-in details displays the padlock symbol.
Just a week ago, RSA Security reported that the number of global phishing attacks grew by 66 per cent last year compared to 2007, equating to 135,426 separate incidents.