Have you ever received an instant message that prompts you to click on a mysterious link? Or been asked to share your IM account information, only to have it used to spam all of your friends?
Messaging spam, sometimes called SPIM, is a type of spam targeting users of instant messaging (IM) services. SPIM is more than just an annoyance. It’s a serious threat to online privacy and security. SPIM campaigns that employ phishing tactics to get your account information can put all the personal information associated with your account at risk.
Today, Microsoft has filed a civil lawsuit against several people and businesses in which they are alleged to undermine the security and privacy of Windows Live customers. This case alleges that the defendants engaged in instant messaging spam and phishing on Windows Live Messenger.
Funmobile Ltd., a Hong Kong-based company owned by brothers Christian and Henrick Heilesen, has spimmed thousands of Windows Live Messenger customers since March 2009. Customers who clicked on the link in the bogus instant messages sent by Funmobile were then “phished”— that is, asked for their IM username and password to log in, according to the complaint. Those who provided the log-in information were often redirected to an adult Web site or, in some cases, a site that claimed to be a social networking community for Windows Live Messenger users.
Meanwhile, Microsoft alleges, the defendants collected the wrongfully-obtained usernames and passwords and used them to access Microsoft’s proprietary systems and our customers’ accounts. They then “scraped” or “harvested” the contacts within each user’s account, and sent unsolicited bulk IMs to each of his or her contacts.
Protect yourself against SPIM
- Do NOT click any SPIM links you receive, but close the conversation window.
- Tell your friend that you have received SPIM from his account.
- Change your Windows Live ID password. (Change your password here.)
- Do not tell your password anybody.
- Only enter your password on a website where you see the green encryption mark in its title bar. The address should always start with “https://login.live.com”.
- Remember to sign out properly after chatting at public places.
- Check your hard disk for viruses.
Sources:
http://windowslivewire.spaces.live.com/Blog/cns!2F7EB29B42641D59!41246.entry
http://microsoftontheissues.com/cs/blogs/mscorp/archive/2009/07/16/saying-no-to-spim.aspx
Just had a thought…. ‘ The address should always start with “https://login.live.com”. ‘ this is not an effective way of stopping phishing! I could easily do that, buy an SSL & have a bunch of subdomains… You should say ‘ The address should always start with “https://login.live.com/”. ‘ Note the forward slash! Hope that helps people!
Fabrizio,
You are 100% right! Sorry for my typo error, of course any login address must start with “https://login.live.com/”, including trailing slash after “.com”.