The iStockphoto image-selling website has been hit by a brazen phishing attack, which attempts to fool account holders into giving up their site logins.
The danger of the attack appears to be its unusual method - strike from within. The Getty-owned service appears to have been targeted using the site's internal mail boards in an attempt to persuade users to visit a fake login page, re-entering their details for remote capture. Once entered, a user would have been re-directed to the correct login page.
The attack took the service down for a period of hours as admins battled to cleanse the messages from the system.
"We strongly urge all users who logged in at some point today [3 March, EST) to change their passwords," read the precautionary message from iStockphoto. "In addition do not open any sitemail messages until we can clear out the malicious messages."
The oddity of the attack is that the motivation for such an attack would appear to be low. iStockphoto users unlucky enough to fall for the bogus page would have little more to lose than their image credits, hardly a major prize for the average phishing gang. Images rarely cost more than a few dollars each.
According to Graham Cluley of Sophos, the attackers might be motivated by the possibility of using the same or similar logins to access other websites with richer pickings.
"The danger is that so many people use the same password for every single website they access. That means, if they have your iStockphoto password then they also have your Amazon password, your eBay password, your PayPal password, your Facebook password, your Twitter password, your Hotmail password...," he says in his latest blog on the matter.