Image courtesy of alexkerhead's Flickr photostream

  

The helpful caller identified himself as working for a company called My PC Care and explained that he was a Microsoft Certified Professional. According to this bogus technician there are some pretty nasty files “more dangerous than viruses” doing the rounds, these files were so dangerous, he explained, that some 40% of Microsoft Windows users had “lost their computers”. As a result they were calling “all users of Microsoft Windows” (an ambitious task) to repair the damage before all was lost.
 Â 
I played along with them and expressed concern that my computer might also fall victim, so the helpful technician began taking me through some entirely bogus “troubleshooting”. In brief I was asked to open the windows Event Viewer.  The scammer encouraged me first to look in the Application Log where he was sure I would find several Errors and Warnings. Lo and behold, he was correct. To be honest in all the years I have been involved in IT I have yet to see a Windows PC without errors and warnings in the Event Viewer, but of course these scammers are relying on the unfamiliarity of their victims and hope to scare them and at the same time gain credibility.
 Â 
The engineer was very insistent that I should not click on or open any of these Error messages because “they are the malicious infections” warning in doom-laden tones that after about two weeks this would “crash my hard drive”. I was then asked to repeat this charade looking through various other Event Viewer logs, each time the dire predictions of impending disaster got worse.
 Â 
My ever helpful technician-scammer guy suggested that now would be a good time to transfer me to his supervisor so that they could clean up these dangerous files once and for all and I agreed, anxious of course that my computer might be on the edge of silicon Armageddon. Unfortunately my fun was coming to an end, the supervisor wanted me to use the (entirely legitimate and very helpful) service LogMeIn.com  to permit their technicians remote access to my computer, at which point they would have been free to do whatever they liked. Of course I had to decline and hang up at that point.
 Â 
So what is the point of this kind of scam you might ask? Well once you have granted remote access to your computer to a complete stranger, really they are free to do whatever they want install malicious software to steal information, look through modify or copy your personal files or in this case simply pretend to fix some non-existent problem charge you for the pleasure and then sell you a subscription to their services.
 Â 
The scam seems to have started out in countries where English is a first language, but emboldened by their successes and perhaps hungry for more money it seems the scammers are constantly on the lookout for new targets, expect to see this showing up on a telephone near you soon.
 Â 
Should you ever receive a call from anyone claiming to know that your PC is infected, or that you are having performance problems, just hang up; it’s a lot less painful than playing along. Remember also, just as a rule of thumb, never confirm anything, even your name, to anyone over the telephone until they have satisfied you of their integrity first.
 

Bogus message from bogus app

Don't be tempted...

 

"Please click this link and make me some cold hard cash"

 
Unless of course you’re using Trend Micro, in which case you’ll see this…
 

Not on my watch, sonny Jim.

Robot Face from Garrette's Flickr Photo Stream under creative commons

 Â 
Many of you will be familiar with the idea of Spam bots when it comes to real time chat, if not I detailed a Facebook related scam a while back that took advantage of this technique.
 Â Â 
Classical chat spam bots operate in four distinct modes, the research paper describes them as “Periodic bots” – they simply post spam messages at regular intervals; “Random bots” – posting messages at random intervals; “Responder bots” – automating replies to other user’s messages and “Replay bots” which as the name implies simply replay previously recorded conversations.
 Â Â 
The problem that scammers and criminals have to overcome with these technologies is the effectiveness of our natural suspicion and intuition. It turns out that, in the main, humans are particularly good at spotting when they are being spoken to by a computer. The researchers from Vienna have devised a way to overcome these natural defenses.
 Â Â 
The paper details an application they call Honeybot which acts as a man-in-the-middle between two human correspondents, intercepting, diverting and, crucially, modifying messages sent between them in order to direct the conversation and engineer the victims into clicking links. Links which have been inserted by the attackers. According to the paper:
 Â 

“The general attack principle works with any chat system that allows the exchange of private messages. It is based on the traditional man-in-the-middle concept. Every instance of the attack involves two human users and a bot in the middle. Both users believe that they are talking to the bot, but in reality, their messages are forwarded back and forth as shown in the following example:

• bot -> Alice: Hi!
• Alice -> bot: hello
• bot -> Carl: hello
• Carl -> bot: hi there, how are you?
• bot -> Alice: hi there, how are you?
• Alice -> bot: . . .

 

The bot looks perfectly human to both users because the entire conversation is reflected off the bot in the middle.“

 
 Not only are all communications proxied but the bot has the intelligence to be able to guess at the respective genders of the victims, use questions to take control of the direction of the conversation (usually to engineer a scenario where a link would normally be posted) or to simply replace links posted by one victim with pre-configured malicious links.
 Â Â 
In their testing, the researchers inserted three different kinds of link, a simple IP address, a TinyURL shortened link and a MySpace link into conversations on three different IRC channels and they recorded up to an impressive 76% click through. In a similar but more limited experiment using Facebook chat, the click through rate was still impressive at 40%.
 Â Â 
With those kinds of results, surely we can expect to see this kind of technology incorporated into cybercriminal campaigns in the very near future. Just like your mother always told you, don’t talk to strangers! In those situations where you really have to, then this is just one more reason to ensure that your security solution of choice is scanning for malicious URLs in real-time…

 “Warning!!! Your computer contains various signs of viruses and malware programs. Your system requires immediate anti virus check. Click to perform a quick and free scan of your PC”

You have? Well you’re not alone.
 
I want to share with you some research carried out by one of my colleagues in TrendLabs, Bob McArdle. I can’t mention any names for fear of prejudicing ongoing investigations, but to be honest the names are irrelevant as they change so often anyway. Over the course of a year one criminal gang, let’s just call them Company X, made over $180 million US dollars by selling malware to their victims in at least 30 different countries around the globe.
 
You would be forgiven for asking why people would pay for malicious software and the answer is of course, they had no idea it was malicious in the first place.
 
The gang creates very convincing looking fake security programs designed to fool the victim into believing that their computer is badly infected. These scareware programs are then distributed by creating web pages designed to rank very highly in search engine results for popular current search terms or newsworthy events. As soon as the malicious search result is clicked a pop-up message like the above appears and the infection chain begins.
 
Here is a video of one such scam in action related to this incident I blogged about a while ago.
 

 
So how did they make so much money? Well firstly while the scan on offer might be free, the bogus results always show the machine to be very badly infected when in fact no scan at all has taken place. The worried user is then prompted to pay for the full version of the “security” software so that the non-existent malware can be cleaned up. So now, you have given your credit card details to criminals, downloaded malware onto your PC and paid somewhere between $50 – $100 US dollars for the privilege. This game is a volume one – if the gang can redirect 100,000 searches and only 1% of them pay for the product – they net $50,000 US for a day’s work.
 
The second part of the business model involves these machines that the criminals have now infected. As the infected user surfs the web, the malicious software quietly replaces all of the ads the user sees with ads belonging to one of the gang’s affiliates, most often pushing fake pharmaceuticals and the like. The gang get a kickback of two or three cents every single time an advertisement is replaced. Logs from one of the gang’s servers showed about a million ads replaced per day, netting them another $25,000 US per day, and this was only one of the gang’s botnets. So that’s $25K per botnet, per day.
 
The third part of Company X’s business model revolved around customer support strangely enough. Company X’s biggest problem of course, was credit card refunds. Customers who realised that they had been scammed would contact their card provider demanding a refund. After a while the credit card provider would refuse to do business with Company X and Company X would need to create another fake subsidiary company, complete with Fake IDs for all of their directors. To combat this, these criminals decided to invest heavily in call centres – setting up call centres in the US, Asia and Eastern Europe.
 
You see the Rogue AV would regularly ask the users to update their version, paying a small fee to do so – and would annoy the user with pop-ups until they did so. A lot of customers complied, however others rang the support line demanding the product be fixed. Each Rogue AV had a couple of settings that could be altered so that the users would never be prompted for updates again – the staff at the call centres simply stepped the users through to this point, all for the modest fee of $20 for the phone call.
 
Think before you click, not all security software is created equal.

A colleague of mine, Noriaki Hayashi, brought my attention to an interesting Trojan that has begun circulating in Japan. The malware is aimed at extorting money from its embarrassed victims and here’s how it works.
 
The victims are initially hooked when they download what they believe to be illegal copies of games from file sharing networks, in most cases the malware is masquerading  as illegal copies of ”over 18″ hentai-themed games such as the below
 

Example of legitimate Japanese game from Abel Software

Once the installer is launched it brings up a form requiring the user to enter personal information including their full name, date of birth, game password, email address, postal address, gender, annual income, company name and telephone number along with a few other things for good measure.
 
While all this is going on, the malware is also automatically collecting details about the victim’s computer including user account, domain and computer name, OS version information, clipboard content, file use history and Internet Explorer favourites. It also grabs a few screen shots just in case they don’t already have enough dirt.
 

Trojanised installer collecting information

 
Could it be that once a victim has shown themselves to be extortion-friendly they will get hit with yet another “copyright infringement” notice from Romancing Inc? Japanese copyright law was strengthened this year largely in an attempt to address the problem of illegal downloading
 
This is certainly another illustration of why, in the long run, you may well be better off paying up front for your downloads and steering clear of file-sharing networks.