RealTime IT News

Phishers Use Photos for Catch

A phishing scam is hooking Yahoo users by stealing their user names and passwords when they log into what looks like an area of the Yahoo site, according to a security firm.

San Diego-based Websense said scammers send an e-mail or instant message that claims to be from a contact wanting to show off photos of a recent event. The message contains a link to a phishing site, which records the user's Yahoo ID and password, and then forwards the Yahoo ID and password on to the real Yahoo Photos site.

The scam is being hosted in the United States on the free Web space provided by the Yahoo Geocities service, according to Websense.

"It is hard to gauge, but we've had a number of reports," Dan Hubbard, senior director of security at Websense, said. "But I wouldn't be alarmed at this point."

The scammers are also harvesting the contacts from each victim's contact lists, said Hubbard.

"We've seen people who have had an attacker take all contacts within the list and then forward the same message to each of those," he said.

Hubbard said it would be hard for users of Yahoo Photos to tell if they'd been phished unless a contact informed them about the message supposedly originating from them.

"The only sign we know is if some contacts received the same message," Hubbard said.

"When we learn about phishing sites, we remove them as quickly as possible. Yahoo treats users' security as a top priority and continues to take a hard look at how to effectively combat phishing," Yahoo said in a statement.