Yahoo users, beware. Attackers are using a new method to get your user ID and password.

The National Bureau of Investigation issued this warning following reports that a new phishing method records usernames and passwords while logging users to a legitimate Yahoo site.

"Users receive an instant message or e-mail purporting to be from a friend wanting to show photos from a vacation or birthday party. The message has a link to the phishing site, which records the user's ID and password while forwarding the user to the real Yahoo Photos site," the NBI said, quoting security firm Websense.

Such a method makes it difficult for Yahoo users to know that they had been victimized, since the attack takes place during the forwarding process.

"Ironically, those behind the phishing attack use a free site hosted in Yahoo's Geocities service in the United States," the NBI quoted Websense as saying.

The NBI Anti-Fraud and Computer Crimes Division said it is difficult at this time to determine the extent of the attack on Yahoo.

The NBI-AFCCD advised users to be wary of unexpected emails and check with the sender to make sure the emails they get are authentic.