A phishing email claiming to come from AOL's security department is being sent to subscribers telling them the company suffered a security breach over the weekend and that personal information had been compromised.
The email also asks users to log onto a website to download a fake "security patch", in order to "protect their information".
"Failure to download this security patch in the next 48 hours will result in the temporary suspension of your America Online account," said the spoof message. "At this point we will send you a Security Patch CD in the mail. Upon installing it, your account will be reactivated."
If a user clicks on the link, they get redirected to a website hosted in Scotland which downloads a piece of malware, named patch.scr, written in Visual Basic and using Yoda Crypt.
Once the file is executed, it asks user to disclose confidential account and billing information, including their account limit. This information is then sent in a text file via FTP to an account at a hosting facility.
An expert said the attack marked a new tactic by phishers.
"This is a blended threat that we have not seen before," said Ross Paul, product marketing manager at Websense. "It combines the threat of a security breach with a link to a download that masquerades as a patch but in fact requests sensitive user information."
Earlier this month, SC Magazine reported that internet thieves are resorting to a "softly softly" approach in order to steal money from users' accounts without arousing suspicion.