Skype leveraged to distribute adware

One piece of adware being distributed is known as Search Protect, which pushes a search engine riddled with ads when the user's browser is opened.
One piece of adware being distributed is known as Search Protect, which pushes a search engine riddled with ads when the user's browser is opened.

Researchers with PhishMe have identified and assisted in disrupting a campaign in which Skype was being leveraged to distribute adware.

The threat was initially discovered when a PhishMe researcher was alerted on Skype that a user was attempting to call them, according to a Wednesday post. The user's name: “NEW VIDEO MESSAGE RECEIVED! VIEW AT WWW.VIEWROR[dot]COM.”

Upon clicking the link, a voice tells the recipient to click a download link in order to install a proprietary video player needed to play the alleged video message. Once downloaded and opened, the executable asks to run as administrator, and the user is then presented with a screen to install many different components – all of which are adware.

One of the several pieces of adware being distributed is known as Search Protect, which purports to offer users a more secure way of searching on the web, Ronnie Tokazowski, senior researcher with PhishMe, told SCMagazine.com in a Wednesday email correspondence.

Tokazowski explained that Search Protect sits on the user's system and installs alongside their browser. When the browser is opened, the user is brought to Trovi search, which is a search engine riddled with advertisements, he said.

“The end goal for the attackers is money,” Tokazowski said. “This looked like it was on an affiliate model, where the attackers would be paid per-install or per-download. This is how they benefit from the adware being installed.”

Further investigating provided researchers with information that assisted them in disrupting the attack.

By identifying IP addresses that were part of the campaign, PhishMe was able to determine that the attackers were using Amazon Web Services. Additionally, by doing a search of “new video message received!” on Skype, researchers were able to compile a list of domain names being used.

PhishMe notified Amazon of the attack and the company will be taking action against the IP addresses, Tokazowski said, adding that Microsoft – which owns Skype – was also notified and is working to shut down Skype accounts associated with the campaign.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS