As computer security has improved, and users have gotten more savvy about not opening every attachment that lands in their in-boxes, hackers and virus writers have been recognizing and exploiting the opportunities presented by IM-based attacks, the numbers of which have risen sharply over the last years.
Instant messaging clients like AOL Instant Messenger (AIM), Yahoo! Messenger, MSN Messenger, and the chat feature in Skype have all been targeted in 2007. And unlike the simple viruses of years past, the IM threats in 2007 have evolved into multi-staged attacks that have the potential to cause significant harm to users’ computers.
Instant-messaging threats work much like e-mail ones, where malware is launched when the recipient clicks on an executable file attachment or on a hyperlink that then links through to a malicious Web site. Instead of being sent over e-mail, however, these threats are spread through IM chat sessions.
An IM worm is self-replicating malware that spreads in IM networks. When an IM worm infects a PC, it locates the address book for the IM client, which is called a buddy list or contact list, and tries to send itself to all the infected person’s contacts. Some IM worms use social engineering techniques to trick the recipient into accepting a message that contains the malicious code.
Instant messenging software is also being used to deliver spam. Spam delivered through IM instead of e-mails is known as spim.
The number of IM threats such as viruses, worms, and phishing scams has been steadily increasing over the years. In December 2007, 18 new malicious code attacks over instant messaging (IM) networks were discovered, bringing the 2007 total to 346. In 2004 there were almost no IM attacks, and in 2006 the number was around 130.
Nearly 20 percent of IM threats in 2007 were reported on the AOL Instant Messenger network, 45 percent on MSN Messenger and 20 percent on Yahoo! Messenger.
2007 marked the first IM prosecution in the US, punishable by $1.75 million in fines and nearly 60 years in prison, against a computer security consultant for using illegal IM botnets to hijack PayPal accounts.