So in the hustle and bustle of trying to get my Yahoo account back (it has been returned), I forgot to show some love for JackAce of the Code Turkey blog. He and I used to work at SkillJam and he was the one who alerted me via email that my account had been jacked.
In this post, he describes the general tactic that an Instant Messaging based attack takes to spread itself.
He also provides some tips to avoid phishing and talks about what to do if you are phised. Be careful out there.