Was the Messenger Virus Controlled?

For those using Yahoo! Messenger like I do, you could have encountered a friend sending links to some cool pics (s)he would like to show you. I wouldn’t have blogged this as my friend Nicole already did. But, it seems that those at Yahoo! have already controlled the spread by blocking the links causing them to just show up as “http://” and not the whole URI to the infected Web site.

I happened to encounter those messages weeks before I knew it was a virus but I use Firefox, and when I went to the Web site, it didn’t infect me at all.

I just hope other messenger programs implement a block for those infectious messages as well in one way or another if it would not be like the system Yahoo! is already using. Besides, not only Yahoo! Messenger is vulnerable to this, but also AOL Instant Messenger and Windows Live Messenger. If you use these two other messaging services, please tell me if they’re also properly responding to these attacks. More info about the virus can be found at the Trend Micro Virus Encyclopedia entry for WORM_SOHANAD.I

Happy IMing to you all! 🙂

Update: The spammers apparently knew about what Yahoo! has been doing to block the URL to their malware site as I’ve just received another spam message from a contact with the address still intact. They now encode a portion of the domain to circumvent the filters of Yahoo! Messenger servers. For example, instead of thecoolpics.com which is blocked by server filters, they now send addresses as thec%6folpics.com with %6f being a URL-encoded version of the letter o.

Get free Norton Antivirus software.

Phishing Warning

I’ve just received two attempted attacks of phishing from two of my bloggermates in my Yahoo! Messenger contact list. I guess their accounts are being hacked the time I’ve received those messages, so I want to warn those of you who want to protect your accounts.

For those who do not know, phishing literally means fishing [for passwords], as the letter f is usually replaced by ph in 13375p34k. Another definition could be password harvesting or fishing

There are many methods of phishing attacks, usually through email that, most probably, directly goes to your spam directory [if you have any]. But ones through YM or any other IM accounts that really look like your friends are referring to you to go to are somehow really mind-controlling.

The method I’ve encountered used a spoof of the Yahoo! Photos Web site inside a Yahoo! Geocities Web page requiring you to sign in with your username and password in the attempt to trick you that your friends’ photos are posted post-login. Please take note that Yahoo! Geocities Web pages are user-controlled, meaning other people just made up that Web page.

The two URIs that was given to me was:

Apparently, those two sites that were IMed to me were already reported and were taken down. Some may still be out there, [or are currently being made] so please watch out still.

Note: Do NOT enter your login details there.

If you take a look at both the main frames’ source pages (the frames with the sign in page displayed), you will see that the form input will go to a mailform (http://www2.fiberbit.net/form/mailto.cgi) with the same email address input of smoke.beer@gmail.com. (Now, spam that bastard!) It just means that your login information will go to his GMail inbox.

The primary solutions for this is within you. You should basically:

  • Never trust login forms inside a frame of user-controlled Web page.
  • Try to login directly from the site, with secure (HTTPS) connection if possible. (e.g., Yahoo! Login, Google Accounts)
  • Never trust friends’ URI referrals unless you really know the site or have checked for security flaws/issues.

I know I haven’t fully discussed what could be done to prevent such intrusions to your accounts, you might even want to change your passwords regularly. Just remember to be aware of such possibilities when visiting untrusted Web sites. Or else, you may be giving them permission to hack you.

More about Phishing: