How to avoid a phishing worm on Messenger and what to do if you’ve been affected

As the most used instant messaging service in the world, it’s become more and more common to find your contacts sending out virus, spam and worm links through Messenger.  There’s a lot of different types and different steps for removal, but the one most recently affecting people is a “phishing worm”.

The worm
More than likely you’ve seen the following from one of your contacts recently:

There’s no need to analyze the link, as it seems to randomly change and most likely new sites are added regularly.  Although Messenger has allowed messages to be sent while appearing offline for quite some time, it’s important to note that these messages are sent out as offline messages (although no doubt this won’t always be a fact). As I know “Ruth” rather well, knew she wasn’t at her computer, and know this message isn’t something characteristic of her, I immediately knew this wasn’t legitimate.

Your best bet is to to stop here and not bother clicking the link without asking for confirmation of what this is from your contact.  However, if you do proceed, you may find yourself at a web site like the following:

Although this isn’t a good fake, it does appear somewhat similar to the Messenger user interface and judging from the number of these links sent to me over the past few weeks, it has in fact tricked quite a few people.  Once you provide your Windows Live ID username and password, it saves this information on the scammers server and redirects you to another web page full of advertisements and pointless images.

The scammers now have your credentials and can start their dirty deeds — logging into Messenger as you, looking through your e-mail, accessing your Microsoft billing information (if you have any) and spamming others with similar links.  You wouldn’t trust a stranger coming up to you asking for your credit card information, so why would you trust a random website with your Messenger credentials?

The worst part of this whole process is that the typical support response is to run a virus scanner.  This of course will find nothing (although a good percentage of Messenger worms and viruses aren’t detected by scanners anyway), as the scammers are logging in from another computer using the provided username and password.  While this fruitless effort to find a non-existent virus on your computer is in progress, someone could be using or selling your information.  Your information might be used within hours, days, or even years long after you’ve forgot this happened.

It is absolutely essential to change your password after your account has been compromised in this fashion on both Windows Live ID (which includes Messenger) and other sites where your log in using the same e-mail address (Facebook, for example). 

Verifying you are at a true Microsoft site and changing your password
Most major web sites on the web today utilize an Extended Validation (EV) certificate.  In most browsers this will appear with a green bar at the top.  Among other security measures and encryption, this indicates that the site has gone through an audit to verify the identity of the site.  To show this in action, let’s head over to to change the Windows Live ID password.

Even if the site appears to look like a Live ID sign in page, look for the green address bar, lock icon and company name to verify it truly is.  Additionally, depending in your Windows version, browser and Live ID site you’re signing into, you might need to click the ‘Sign in using enhanced security’ link on the page to see these indicators. 

Finally you’ll arrive at the password changing page and can change your password.  One minor feature that’s been added recently is an option to prompt you to change your password every 72 days.  I’m not quite sure how this will work with regards to Messenger yet, but time will tell.

As mentioned previously, you should now use similar password changing facilities in other sites which utilize the same e-mail address and password to log in.

Easy steps to remember
To conclude, here are some easy steps to remember to avoid this happening to you:

  1. Before accepting an invitation or clicking on a link, verify that it appears to be legitimate.  If in doubt, ask your contact.
  2. If a site is prompting for your username and password, verify your information will be going to a legitimate source that you trust.
  3. Don’t trust antivirus software to save you.  Use discretion and avoid installing or running any applications from web sites you don’t trust, even if they came from a contact you do.


Posted on April 14, 2009, in Uncategorized. Bookmark the permalink. 3 Comments.

  1. si ya entregaste tu informacion en esta cuenta solo con cambiar mi contraseña podre evitr que vean la informacion que tengo

  2. thanks for the advice on the bad things that happen on computers please could you tell me a few companys you think is safe to get softwear on spywear scaning your site for unwanted bugs worms etc so if you have any give me a text or e/mail me or text 84666 thanks

  3. Hi There,Thanks for this blog. Does it stop automaticly after I changed my password et cetera (of long (short) duration ??). I have completed a service scan, and he could not find anything. I hope to hear the answer on my question. thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: