Yahoo 360's gone phishin'

A new phishing scam is circulating through Yahoo IM lists, sending emoticon-laden links to contacts on an infected account. Indeed, CNET's own Yahoo Messenger users have not been immune.

Phishing link sent through Yahoo IM.

(Credit: CNET Networks)

The link reads as a Geocities.com URL, but spoofs a Web page advertising Yahoo 360, a social-networking service.

Spoofed landing page for rigged Yahoo 360 service.

(Credit: CNET Networks)

Phishing schemes simulate legitimate Web sites to trap users into giving up their account information. With that information harvested, security fraudsters can sell your passcodes or exploit them directly by breaking into your bank or personal account. From there, the possibilities for fraud are varied.

While many phishing schemes are poor approximations of the real deal, with sketchy graphics and spelling and grammar errors, this Yahoo 360 spoof is more believable. Moreover, spoofs are successful when users follow the automatic reflex to sign-in to their account, or buy into the sense of urgency and doubt created by a doomsday phishing e-mail, for example, that the victim's account is about to expire.

Legitimate home page for Yahoo 360.

(Credit: CNET Networks)

Social conditioning may also play a role in the success of IM phishing for contacts who are accustomed to click links sent by their colleagues and friends. While CNET has extensively covered e-mail phishing on CNET Download.com, CNET News.com, and on CNET Security, IM phishing is a newer approach to illegal data harvesting, and perhaps one that many users don't regularly question.

So keep those senses sharp, and make sure your PC is fully patched.