Safer Internet Day 2007 Blogathon

Instant messaging (IM) services like MSN Messenger, Yahoo!Messenger, AIM, etc. are becoming more widely used both at home and in the workplace, and their popularity provides an excellent means of propagation for malware.

The inherent risk to these services lies in the fact that they are not only used to exchange messages, but also files, folders, and even entire disk drives. This makes IM services an increasingly exploited open door for attackers. Instant messaging services make things extremely easy for attackers, since users are not authenticated through an IP address, but an email address linked to a password. This means that even if the victim has a mobile IP address, the server that links the people connected will send each user the contents assigned to their names. As a result, the attacker does not need to know the victim’s IP address, it is enough for their name to be included in a contact list to infect them.

The fact that logging into an instant messaging service does not require IP authentication can also lead to identity theft problems. If an attacker accesses the server using the password of one of the contacts, there will be nothing to warn the targeted user that the person they are speaking to is not who they are supposed to be. If you share files with that contact, the attacker will be able to access them freely. What’s more, in corporate environments where IM is used, confidential data could be shared with an attacker in the belief that they are someone else. Identity theft is not as difficult as it might seem. It is enough for the target user’s password to be common or easy to remember to access their account. Even if that is not the case, given that the majority of protocols used by these services transmit unencrypted information, it is very simple to spoof an established connection between two users and obtain certain data.

We are giving you a series of instant messaging tips worth following. First, use safe passwords: passwords that are not too short, mix uppercase and lowercase letters as well as numbers, and which are not related to biographical information (dates of birth, anniversaries, names, etc.). Secondly, in this kind of communication, you should never disclose personal or confidential information, such as passwords, account numbers, etc. Don’t chat to people who are not on your contact list. Similarly, don’t download files or click on links that come from unknown senders, and, even if they do come from known senders, take precautionary measures before taking any actions. If you are using a public computer, do not use the automatic sign-in feature, as any other user of the computer could access your messaging account. Finally, in the case of home users, be particularly careful when children use instant messaging services; not only because they are more prone to opening files that might be infected or clicking on dangerous links, but also because they can establish contact with inappropriate or dangerous people. To protect themselves, home users and companies must use latest-generation antimalware solutions and keep them up-to-date.