Anatomy of an Internet scam

3 October 2007

We talk a lot about Internet scams, here's a first hand account of how they work.

A clever little scam fell into our laps tonight. It's the typical sort of trick that can fool anyone with an Internet connection, in this case it used Skype, but it could have been an email, a pop ad or pretty well anything any computer encounters while on the net. So we decide to follow this one to see how it works.

This was done on an a fully patched Windows XP computer running in Limited User Mode with Mozilla Firefox as the web browser. This is our preferred configuration for safe surfing.

Despite this, the computer was still fully backed up and we ran regular spyware and virus scans between each step. We strongly recommend never to click on any link, email or adverts you think might be suspicious.

The trap

You're sitting at your computer when you notice a strange icon in the corner of your screen. It's Skype, the Internet phone program, telling you there's a Skype Chat message for you. The message comes from Security Center ® (Offline) Skype™ Chat and it warns WINDOWS REQUIRES IMMEDIATE ATTENTION.

We should pause here to point out if you have Skype Chat enabled you will be getting messages popping up like this on a regular basis. We've discussed this problem on our July ABC Nightlife spot and we've added the solution to our IT Queries website. You should set Skype to only accept messages from your friends.

It's also important to note here that this message looks official. Many people think that they are too clever to be caught by these scams. What they overlook is that while many scammers are dopes, some are very clever and this one will fool a lot of intelligent people.

Following the link

At the bottom of the message is a link directing you to "a patch" that will fix the problem. Click this and you are taken to a website called "Online Alert"

This website is allegedly owned by a Sergei Machorin of Moscow. We can safely bet that Sergei, if he exists, has no idea he's the owner of this site.

Rather than downloading a patch, which would fix the problem, Online Alert starts a fake malware scan of the computer's hard drive. After several minutes this will report your computer is infected with the following files.

• Backdoor:Win32/NT Root
• Backdoor: Win32/Sivuxa
• Trojan.Caijing

All of these are fake. In fact, if you run the test on an Apple Mac you'll get exactly the same result.It'll even claim the c: drive is infected.

Of course, they aren't telling you this for nothing, at the bottom of the page there is a button to "fix this problem", so we clicked it.

Fixing the "spyware infection"

The fix takes us to a page offering to download and install a cleaner program called Scan and Repair 2007 for a mere 19.95 USD. And here you are stuck.

If you choose just to close the screen you'll find yourself locked in a loop where you can't get out of the purchase screen until you kill the process or shut down Windows.

Naturally we didn't pay the 19.95 and we just killed Firefox instead. Many people though would be worried about shutting down their computer with this thing still open.

The Result

This is a pretty garden variety scam and it could be a lot worse. This site could easily have tried to install something malicious. We tested this also on Internet Explorer and Firefox in a Limited User profile and there is no evidence of this scam trying to load spyware.

Overall it's a fairly primitive little scam. The "online scan" is fairly simple. But to give credit to the scammers, the Skype warning, the webpages and the online scan are all quite convincing looking mock ups of a real thing.

Who falls for this?

Lots of people. The fact the warnings and websites look so convincing means that even experienced users can be fooled into clicking on links or thinking their computer is infected. There's an idea that only stupid people fall for these tricks. This is not the case and even if it were, the numbers still make it attractive for the scammers.

Why do they do this?

The scammers receive a commission on every copy of Scan and Repair 2007 they sell. Given they've sent this warning out to millions of people they only need a tiny proportion to buy the product to make a tidy sum. It's easy money for someone with the right skills.

The F-Prot's Mikko Hypponen believes malware is the fastest growing sector of the IT industry. We agree and while this isn't an example of true malware like a Trojan or virus, it still shows the profits that can be made with just a modest bit of effort.

We've found over the years that most people that fall for these scams are not stupid. The crooks who try this stuff are no fools and anyone who thinks they are smarter than the crooks is probably going to be caught out. All of us need to take care on the net.

We've asked Skype for their comments and we'll post them on our Cranky Tech blog when we get a reply.