A phishing scam is hooking Yahoo users by stealing their user names and passwords when they log into what looks like an area of the Yahoo site, according to a security firm.

San Diego-based Websense said scammers send an e-mail or instant message that claims to be from a contact wanting to show off photos of a recent event. The message contains a link to a phishing site, which records the user's Yahoo ID and password, and then forwards the Yahoo ID and password on to the real Yahoo Photos site.

The scam is being hosted in the United States on the free Web space provided by the Yahoo Geocities service, according to Websense.

''It is hard to gauge, but we've had a number of reports,'' Dan Hubbard, senior director of security at Websense, said. ''But I wouldn't be alarmed at this point.''

The scammers are also harvesting the contacts from each victim's contact lists, said Hubbard.

This article was first published on internetnews.com. To read the full article, click here.