I recently got a bunch of Yahoo instant messages from a few IM buddies. All of them about a geocities page: www.geocities.com/omg_thats_too_funny_3/ Unfortunately, that page was taken down by the time I could check what it was about. Also, my buddies couldn’t recall sending me that link.

It’s essentially a phishing attack delivered over the popular Yahoo instant-messenger network. You might see an offline buddy sign in, send you the above link with a couple of tempting smileys, and quickly log off. The scary part is that it’s sent without their knowledge, frequently when they are not online. They might even remember getting knocked off of the Yahoo IM because “they signed in somewhere else”. This likely meant that their Yahoo accounts had been compromised.

If you look around, you will find quite a few others have been scammed into losing their Yahoo passwords via phishing sites:

http://isc.sans.org/diary.php?storyid=1463
http://www.broadbandreports.com/forum/remark,14377670
http://zigzackly.blogspot.com/2005/10/yahoo-password-hack-warning.html

IMs from buddies are to easily trusted. Many sites that host pictures/videos allow only registered users to view them. So it’s not surprising that this type of attack is so successful.

What’s different about this attack is that it’s not a simple password-stealing attempt from a single targeted user. Once an unsuspecting user compromises her credentials by submitting them at the phishing site, a CGI script on that site uses the YMSG protocol with the stolen credentials, logs on to the Yahoo IM network and gathers the buddy list of that user to propagate the attack further! All buddies on this compromised user account get similar IMs posing as this user.

Theorizing further, it’s not hard to imagine a central attacker controlled dB of stolen Yahoo IM ids (and for the users who fell for the phishing, even their passwords). Such a dB could be really useful for spammers. It can be used to do some fancy data-mining as well (buddy relationships etc). At the very least, it shows which users are security savvy and which ones are not!

The attacker could keep creating newer sites when older ones are taken down/blocked. Yahoo IM’s default-allow policy makes all this even worse - non-buddies (anyone!) can send you an instant message without any previous contact. This is actually the whole point behind using them on social networking sites like Orkut, Myspace etc. So the phishing attacks can’t really be blocked on the network or URL level.

The only solution seems to be to use a “site-key” mechanism on the Yahoo login page(s). Something like a user-specified image/secret that gets displayed before the user even types the username (or password). This image can be selected based on the cookies/Macromedia Flash Objects downloaded through previous sessions. Since only Yahoo can read the content inside these local objects, only Yahoo can generate the right site-key image. The user enters her credentials only on recognizing the right site-key.