My colleague Paul Laudanski, director of ESET’s Cybercrime Threat Analysis Center (CTAC), has shared details of an interesting Skype visitation.
The attack that Paul experienced was a prerecorded message from “Urgent Notification” (drfimaupdati2) with no way to identify the caller until after the call. While the message was delivered too quickly to take comprehensive notes, the male voice told him his computer ID (which sounded like a random string), that his system was infected with malware, and which Windows OS versions were affected, and that he should visit a specific link. In this case, several browsers flag the link as malicious, but a variety of domain names have been used in the past, and it’s reasonable to suppose that the scammers will keep ringing the changes. Paul says:
When the call was coming in, Skype didn’t tell me who it was from. I had to pick “Answer” or “Answer with Video,” so I chose “Answer.” It wasn’t until the call ended that I saw who the dialer was. Not in my contact list that is for sure (drfimaupdati2).
Others have reported receiving similar messages from “System Update Information,” stating that Windows 7, Vista or XP systems were affected and referring them to the same website. (The same words are repeated several times.) Yet others have reported receiving a Mac-tailored message. Posts on the Skype forum indicate that the ID (drfimaupdati2) is just one of a whole range of random or semi-random strings: there do seem to be instances where the same string has been used more than once, and for some reason they usually seem to start “drf*.”
While the prerecorded voice message is a twist, neither Paul nor myself had ever encountered anything like this before on Skype. Not that I’m a regular Skype user myself. However, I’ve experienced similar “vishing” attacks on landlines, though not in the context of fake AV.
There have been a number of earlier variations of this attack. For example, an alert at scamspam.org gives an example of a lengthy text: “Security Center Message,” urging the recipient to click on “Add to Contacts,” and follow instructions to update their “infected” system using a “repair utility.”