Incident Response, Malware, TDR

Ransomware and phish cons target Skype users


Fraudsters are targeting Skype users through two different ruses – one that spreads ransomware by way of instant messages, and another which uses spam to spread the banking trojan Zeus.

Researchers at security firm GFI discovered both threats.

On Tuesday, they discovered the spam campaign, which infects users with Zeus via the BlackHole exploit kit.

Emails mimicking Skype voicemail notifications direct users to sign into the internet phone service by clicking a link. But instead their machines are hit with the trojan.

The scam was detected shortly after Chris Boyd, senior threat researcher at GFI, published a blog post Friday about a separate threat affecting Skype users: ransomware spreading through Skype IMs.

In those attacks – which are likely unrelated to the phishing emails, according to Boyd – victims receive an IM appearing to come from someone in their contact list. “Lol is this your new profile pic?,” the message reads.

If users fall for the ploy and click the link to see their Skype “profile pic,” an executable opens that is actually a variant of Dorkbot, a trojan that links their machine to a botnet of infected computers.

First discovered in 2011, Dorkbot allows attackers to hijack users' machines. Once the trojan is installed, victims see a message telling them that their files have been encrypted and will be deleted unless they pay $200 within 48 hours.

“It's possibly the first instance of ransomware spreading via Skype IM messages,” Boyd said in an email to on Wednesday. “[The IM] will send in a variety of different languages, typically trying to do so in the most common languages an operating system may be set to. There doesn't seem to be a specific target. Skype users tend to have contacts all over the world, and spammed links don't discriminate.”

Victims are told to purchase Moneypak reloadable debit cards and to transfer funds to attackers by entering a specific code to pay the $200 ransom.

GFI researchers are also investigating a click-fraud campaign being carried out by the Dorkbot perpetrators to earn money.

“Investigation into the specifics of the click-fraud is still ongoing,” Boyd said. "However, the basic idea is that clicks are taking place behind the scenes – out of view [or] away from the computer user."

The number of machines infected by the separate campaigns is yet to be determined, Boyd added. He did say that the IM scam has probably affected more people.

Skype confirmed that it was aware of both campaigns, but a spokeswoman commented on the phishing ploys.

“We are aware of this and other phishing attempts,” said the spokeswoman. “We take phishing seriously at Skype and we attempt to inform our users of known phishing scams, to offer education on avoiding phishing and tips to identify genuine Skype emails.”

Skype's website warns that fraudulent emails often ask users to provide their password, payment details or other personal information. Account holders were directed to email [email protected] to report potential phishing attempts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.