A TREND MICRO BLOG

Oct 1

Skype “Online Notification” leads to Fake AV

Rik Ferguson

Filed under: Web 2.0, malware | RSS 2.0 | TB | Tags: , , , , | 8 Comments

In a sneaky bit of social engineering scareware pushers are registering convincing sounding monikers as Skype user names and attempting to lead people to rogue anti-malware sites.

 

Skyp_Rogue_AV

Skype Rogue AV lure

 

The user name that is displayed in the Skype chat window is “Online Notification” and the associated user names appear on many variations of that theme; online.notification.america9, online.notification.america10 etc. This tactic lends this attack a veneer of credibility that is missing from the usual “Hi, I’m a sexy lady” or “Hi, buy my Chinese kitchen equipment” scams that are more familiar over Skype.

 

To the unwary, because of the well chosen user name, these messages appear to be something other than a stranger sending you a message, they appear to be some kind of real online notification.

 

The full text of the Skype message is

“******************************************

URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

http://www. {rogueAV domain}.net/

For the link to become active, please click on ‘Add to contacts’ skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW

******************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows Vista

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair utility immediately

Your system IS affected, download the patch from the address below !

Failure to do so may result in severe computer malfunction.

http://www. {rogueAV domain}.net/

For the link to become active, please click on ‘Add to contacts’ skype button or type it in manually into your web browser !”

 

The modus operandi is annoyingly familiar, just the medium and method are slightly novel. As I’m sure you have already guessed, these messages lead to fake anti-virus programs designed to extort cash from the victim. The same message appears with several different destination URLs, the advice in every case remains the same.

 

1 – Ignore the message

 
2 – Block the user (and check the “Report abuse from this person” box when you do so).
 
3 – Sit back and sip your cup of tea knowing you have done your bit in the fight against cybercrime today.


Bookmark
| More

This entry was posted on Thursday, 1. October 2009 and is filed under "Web 2.0, malware". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

8 Comments

  1. Thursday, 1. October 2009 um 6:57 pm

    [...] This post was mentioned on Twitter by Christen Rice. Christen Rice said: RT @rik_ferguson: New blog: Skype "Online Notification" leads to Fake AV – http://bit.ly/1j8wPg [...]

  2. Friday, 2. October 2009 um 7:13 am

    great stuff

  3. Friday, 2. October 2009 um 4:11 pm

    [...] volgens de waarschuwing ernstig ontregeld. “Een doortrapt stukje social engineering”, zegt Rik Ferguson van Trend [...]

  4. Friday, 2. October 2009 um 5:10 pm

    Skype posted about this type of attack on its Security blog in November of 2007 – see http://share.skype.com/sites/security/2007/11/fake_malware_alert.html).

  5. Friday, 2. October 2009 um 8:07 pm

    Thanks Chaim, reminds me of a favourite Tyla lyric of mine “Nothing’s new, only forgotten”.

  6. Friday, 9. October 2009 um 9:02 pm

    Thanks for posting this — just got the phishing scam myself and was very happy to be able to Google it and validate it’s scam-iness.

  7. Thursday, 22. October 2009 um 6:52 am

    I’ve got the same message and it looked very fake to me. Thank you for posting this message, which helps us to stay safe.

  8. Friday, 1. January 2010 um 10:01 am

    I don’t remember the site name, I found it on google, it said that I have 160 worms in my C drive, 20 Trojans in My Documents and all, then it tried to install something with fake names, I just navigate away from that.

Leave a comment

XHTML allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection

© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice. Disclaimer