Hackers have launched a phishing attack on image library iStockphoto in a bid to obtain members login details.

The service appears to have been targeted using the site's internal mail boards in an attempt to persuade users to visit a fake login page, re-entering their details for remote capture. Once entered, a user would have been re-directed to the correct login page.

The attack took the service down for a period of hours as admins battled to cleanse the messages from the system.

"We strongly urge all users who logged in at some point today [3 March, EST) to change their passwords," read the precautionary message from iStockphoto.

PC security advice

"In addition do not open any sitemail messages until we can clear out the malicious messages."

The oddity of the attack is that the motivation for such an attack would appear to be low. iStockphoto users unlucky enough to fall for the bogus page would have little more to lose than their image credits, hardly a major prize for the average phishing gang. Images rarely cost more than a few pounds each.

According to Graham Cluley of Sophos , the attackers might be motivated by the possibility of using the same or similar logins to access other websites with richer pickings.

"The danger is that so many people use the same password for every single website they access. That means, if they have your iStockphoto password then they also have your Amazon password, your eBay password, your PayPal password, your Facebook password, your Twitter password, your Hotmail password...," he says.


See also: Hacker gets four years for botnet attacks