At about 11pm GMT last night, 24th Feb, I heard people complaining that they were being sent unsolicited instant messages from their friends over a number of networks including Facebook, Google Chat, and AOL Instant Messenger.
The messages weren’t sent by their friends, rather by cybercriminals who were using compromised accounts in order to phish for login details and more accounts to compromise. Instant messages looked like this:
Figure 1. Sample instant message.
The link was created using the TinyURL service, which shortens complex or difficult to remember URLs. Just recently, however, this said service was used by cybercriminals to hide the real destinations of their links in spammed messages. Now, TinyURLs are being used in IM-based phishing.
The obfuscated URL pointed to a phishing site aimed at harvesting login credentials for Google Chat, Facebook, MySpace, MSN, Yahoo, AIM, and ICQ accounts.
Figure 2. Phishing page.
The compromised accounts would then be used to further IM spamming attacks to harvest yet more accounts, which could then be used for more sinister endeavours.
We advise anybody who feels concerned that they may have exposed their login credentials to change account passwords as soon as possible. We previously explained password policy in this Trend Micro blog post.