josepha48's Journal: new Yahoo! IM phish swimming in the wild!

I've submitted this as a story to /., but don't know if they will post this. just in case they don't, I'm posting this here.

There is a new Yahoo! IM phish out in the wild. Its worse than any other phish, because all a user has to do is click the link and they loose access to their Yahoo! account. My roommate was caught in the phish, and all he did was click the link and he was locked out of his Yahoo! account.

The phish shows up as a IM from someone who has you in their buddy list. The IM has a link like most phish and says you should see these pictures. The link is to a geocities.com web site ( geocities.com / hohoho_christmas_hohoho [ don't go their if you are logged into a Yahoo! account ] ). If you are logged into Yahoo! IM and click the link, you are then locked out of your Yahoo! account. It actually changes your Yahoo! password and also your birthdate and possibly other things in your Yahoo! account. You then have to create a new account and abandon your old Yahoo! account.

Yahoo! does not supply a phone number or an easy way to contact someone about this type of abuse and help you get your account back. You can report it via an HTML form, but you probably wont be able to get them to get your account back.

I've reported this to Yahoo! but have a feeling that this is the start of a new phishing year in 2006.