As one of the most widely deployed applications on the Internet, Instant Messaging (IM) is increasingly becoming the target of choice for attackers. The number of threats targeting IM has soared dramatically during the last few years. The threats range from IM-borne viruses and worms, spam over IM (SPIM), malware and phishing attacks. Not only is the huge IM user base attracting hackers, but a feature that's also tempting is IM's capability to transfer files and bypass firewalls, which make it an effective medium for spreading malware.
How instant messaging attacks occur
Most IM-based attacks require some form of user interaction, but with the use of ever more sophisticated social engineering techniques, attackers are tricking users into setting the attack in motion. Amazingly, one recent IM worm actually imitated another IM user by engaging in a chat session. Such techniques trick the victim into opening an infected file, visiting a malicious Web site or divulging personal information.
IM attacks often install a Trojan horse, which can then configure the IM client to share all the files on the victim's computer, or send personal data from the PC back to the attacker. The attacker can also send instructions to the infected computer via instant messaging, allowing the attacker to remotely control the client machine. Furthermore, because none of the major instant messaging protocols encrypt network traffic, hackers can capture instant messaging traffic or highjack IM connections. Another simple type of attack is flooding a particular user with a large number of messages, crashing the IM client or causing the entire computer to become unstable. As you can see, there are real concerns regarding security and privacy for anyone using IM.
Preventing instant messaging attacks
So how do you avoid falling prey to an IM attack? To start, when you create an IM account, don't choose a screen name that mentions or hints at your real identity; Butterfly1 is better than JaneInChicago. You should never list your contact information in any public Internet directories. This will help reduce the amount of spam and SPIM you receive. Finally never share your password with anyone, and never select the feature that allows you to log on automatically, as your online identity could be used to attack the people on your buddy list.
As with email, you should be skeptical of any IM messages you receive from someone you don't
know. More specifically:
- Never open, accept or download a picture or file, or run an application in IM from an unknown
- If you know who sent the file, don't open it unless you know what the file is and you were
- Treat hyperlinks in messages with the same degree of caution, as they could take you to a
malicious Web site,
- Only communicate with people who are on your contact or buddy lists,
- Never divulge sensitive personal information in an IM conversation.
Unfortunately, firewalls are currently not very adept at controlling IM traffic. That traffic is
often embedded inside HTTP packets and can use any port to connect to IM services, thus bypassing
most firewall checks. It is vital therefore that you:
- Install and use both antivirus
and antispyware software and keep them updated,
- Keep up to date with the latest patches for your operating system,
- Use the most up-to-date version of your IM software. For example, unlike MSN Messenger, Windows
Live Messenger can block suspicious attachments or scan them for viruses.
- Use one of the many IM add-ons that encrypt your IM text messages and file transfers.
As new services such as VoIP are added to instant messaging products, new IM threats will emerge. For that reason it will be even more important to not only keep your system and software programs patched and up to date, but also remain vigilant, because educated, wary users are the best defense against attacks.
About the author:
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in October 2006