Ransomware and phish cons target Skype users

Share this article:

Fraudsters are targeting Skype users through two different ruses – one that spreads ransomware by way of instant messages, and another which uses spam to spread the banking trojan Zeus.

Researchers at security firm GFI discovered both threats.

On Tuesday, they discovered the spam campaign, which infects users with Zeus via the BlackHole exploit kit.

Emails mimicking Skype voicemail notifications direct users to sign into the internet phone service by clicking a link. But instead their machines are hit with the trojan.

The scam was detected shortly after Chris Boyd, senior threat researcher at GFI, published a blog post Friday about a separate threat affecting Skype users: ransomware spreading through Skype IMs.

In those attacks – which are likely unrelated to the phishing emails, according to Boyd – victims receive an IM appearing to come from someone in their contact list. “Lol is this your new profile pic?,” the message reads.

If users fall for the ploy and click the link to see their Skype “profile pic,” an executable opens that is actually a variant of Dorkbot, a trojan that links their machine to a botnet of infected computers.

First discovered in 2011, Dorkbot allows attackers to hijack users' machines. Once the trojan is installed, victims see a message telling them that their files have been encrypted and will be deleted unless they pay $200 within 48 hours.

“It's possibly the first instance of ransomware spreading via Skype IM messages,” Boyd said in an email to SCMagazine.com on Wednesday. “[The IM] will send in a variety of different languages, typically trying to do so in the most common languages an operating system may be set to. There doesn't seem to be a specific target. Skype users tend to have contacts all over the world, and spammed links don't discriminate.”

Victims are told to purchase Moneypak reloadable debit cards and to transfer funds to attackers by entering a specific code to pay the $200 ransom.

GFI researchers are also investigating a click-fraud campaign being carried out by the Dorkbot perpetrators to earn money.

“Investigation into the specifics of the click-fraud is still ongoing,” Boyd said. "However, the basic idea is that clicks are taking place behind the scenes – out of view [or] away from the computer user."

The number of machines infected by the separate campaigns is yet to be determined, Boyd added. He did say that the IM scam has probably affected more people.

Skype confirmed that it was aware of both campaigns, but a spokeswoman commented on the phishing ploys.

“We are aware of this and other phishing attempts,” said the spokeswoman. “We take phishing seriously at Skype and we attempt to inform our users of known phishing scams, to offer education on avoiding phishing and tips to identify genuine Skype emails.”

Skype's website warns that fraudulent emails often ask users to provide their password, payment details or other personal information. Account holders were directed to email spoof@skype.net to report potential phishing attempts.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.